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Errata 

Hierarchical Correctness Proofs for Distributed Algorithms 

Nancy A. Lynch and Mark R. Tuttle 

(MIT Technical Report MIT/LCS/TR-387 dated April 1987) 

At the top of page 21, we make the following definitions: 

The action signatures {5, : t E 1} are compatible if for all i,j G / we have 
out{S,) n out{Sj) = and tnt{S,] n acts{Sj) = 0. The objects {O,- : i e 1} are 
compatible if their action signatures are compatible. 

Add to these the following definitions: 

The action signatures {5,- : i e 1} are strongly compatible if they are compatible 
and no action is contained in an infinite number of the action signatures 5,. 
The objects {O, ■ i ^ 1} are strongly compatible if their action signatures are 
strongly compatible. 

Notice that a finite collection of compatible objects are strongly compatible, and that 
any result holding for compatible objects must also hold for strongly compatible objects. 
Lemma 7 holds only for strongly compatible schedule modules, and hence Corollary 8 and 
Lemmas 9 and 20 hold only for strongly compatible objects. 

Finally, the conclusion is missing from the statement of Lemma 30 on page 45. The 
final sentence of the statement of Lemma 30 should be "Then A satisfies B." 
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This thesis introduces a new model for distributed computation in asynchronous 
networks, the input-output automaton. This simple, powerful model captures in a 
novel way the game-theoretic interaction between a system and its environment, and 
allows fundamental properties of distributed computation such as fair computation to 
be naturally expressed. Furthermore, this m^odel can be used to construct modular, 
hierarchical correctness proofs of distributed algorithms. This thesis defines the input- 
output automaton model, and presents an interesting example of how this model can 
be used to construct such proofs. 



Keywords: input-output automata, models of distributed computation, hierarchical 
protocol verification, modular protocol verification. 

Thesis supervisor: Nancy A. Lynch 

Title: Ellen Swallow Richards Professor of Computer Science and Engineering 



Acknowledgments 



Nancy Lynch has been everything a thesis advisor could be expected to be. Her 
courage and fortitude when plowing through difRcult drafts is well-known among her 
graduate students. She is able to rekindle enthusiasm even in the most discouraging 
situations. In a more playful moment, Nancy was once compared with an excited 
electron moving from person to person, leaving a portion of her energy with everyone 
she meets. 

Michael Merritt has also been of great support and assistance. Much of the pre- 
liminary work for this thesis (including the conception of an input-output automaton) 
was done concurrently with work by Nancy and Michael in [LM86] , and their work has 
had a profound impact on this thesis. 

Brian Coan, Alan Fekete, Ken Goldman, Yoram Moses, and Jennifer Welch have 
also made significant contributions to this thesis. Discussions with all of them, and the 
experience of Alan, Ken, and Jennifer as they use input-output automata in their work, 
have motivated a number of improvements in this work. I am particularly grateful to 
Jennifer for her detailed reading of an earlier draft of this thesis. In addition to their 
intellectual assistance, I greatly value their friendship. 

Most valued of all is the friendship of my wife, Margaret, whom I wish to thank for 
her love, support, and knowledge of spelling and grammar. 



This work was supported in part by the Office of Naval Research under Contract 
N00014-85-K-0168, by the Office of Army Research under Contract DAAG29-84-K- 
0058, by the National Science Foundation under Grants DCR-83-02391 and CCR- 
8611442, and by the Defense Advanced Research Projects Agency (DARPA) under 
Contract N00014-83-K-0125. 



Contents 



1 Introduction 

6 

2 The Input-Output Automaton Model ^y 

2.1 Input-Output Automata . . 

17 

2.1.1 Composition . . 

20 

2.1.2 Action Hiding 

2.1.3 Action Renaming 

2.1.4 Remarks . . 

31 

2.2 Fairness . . . 

32 

2.2.1 Fair Executions 

oil 

2.2.2 Fair Equivalence 

34 

2.2.3 Fairness and System Decomposition 35 

2.2.4 Comparing Fair and Unfair Equivalence 40 

2.3 Hierarchical Correctness Proofs . 

41 

2.3.1 Automaton Satisfaction . 

4o 

• 47 

3 An Example 

40 

3.1 The Automaton A\ 

^ 49 

3.1.1 The States of A, ... . 

50 

3.1.2 The Actions of .Ai 

ou 

3.1.3 The Execution Module Ex 5, 

3.2 The Automaton Aj 



2.3.2 Execution Module Satisfaction 



3.2.1 The States of Aj 



52 
53 



4 



3.2.2 The Actions of Aj 

3.2.3 The Execution Module Ej . 

3.2.4 The Execution Module E'^ . 

3.2.5 The Satisfaction of Ei by E'^ 
3.3 The Automaton As 

3.3.1 The States of A, and M . . . 

3.3.2 The Actions of Aa and M . 

3.3.3 The Automaton Aa 

3.3.4 The Execution Module Ei . 

3.3.5 The Execution Module E'^ . 

3.3.6 The Solution of Ej hy E'^ 
3.4 Time Complexity 

Conclusions 



53 

55 

59 

60 

61 

63 

64 

64 

64 

68 

69 

75 

79 



Chapter 1 
Introduction 



A miyor obstacle to progreu in the field of distributed compuUtion is that many of the 
important algorithms, especially communications algorithms, seem to be too complex 
for rigorous understanding. Although the designers of these algorithms are often able 
to convey an intuitive understanding of how their algorithms work, it is often difficult to 
make thui mtuition formal and precise. When these algorithms are rigorously analyxed. 
the work IS generally carried out at a very low level of abstraction, involving messages 
and local process cables. Reasoning precisely about the interaction between these 
messages and variables can be extremely difficult, and the resulting proo& of correctness 
are generally quite difficult to understand. 

An indication that the situation is not completely hopeless is the fact that the 
designers are able to give high-level, although informal, descriptions of the key ideas 
behmd their jdgorithm. For instance, the distributed minimum spamiing tree algo. 
rithm of [GHS83] can be mterpreted as several famiUar manipulations of a graph. What 
IS needed M a way of formalizing these high-level ideas, and incorporating them into a 
proof of the detailed algorithm's correctness. 

One promising approach is to begin by constructing a high-level description of 
the algorithm. This description could ttsei/be an algorithm in which high-level data 
structures (such as graphs) serve as states, and process actions manipulate these data 
structures. Thk algorithm could then be proven correct using rigorous versions of the 
high-level intuitive arguments given by the algorithm's designers. Successive refine- 
mento of this algorithm could then be defined at successively lower levels of detail, and 
each shown (rigorously) to simuUte the preceding algorithm. IdeaUy. this approach 
would allow us to use in the proof of simulation any property that has already been 
proven for preceding levels. In this way, the high-level intuition used to explain the 
algorithm would become part of a rigorous proof of the fuU algorithm's correctness. 

Two years ago, we began to consider this approach for a fairly simple but interesting 
algorithm for resource aUocation in an asynchronous network, an algorithm originally 
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suggested by Schonhage in [SchSO]. Correctness conditions for this resource arbitration 
problem include both safety and liveness conditions:^ the mutual exclusion condition 
that at most one user is using the resource at any given time; and the no lockout 
condition that if every user holding the resource eventually returns the resource to the 
arbiter, then the arbiter will eventually grant the resource to every requesting user The 
algorithm can be described at three levels of abstraction. At the top level is a simple 
set-theoretic statement of the problem, itself described as an algorithm. At the second 
level is a graph-theoretic description of the arbiter, and how it moves the resource 
around the network. At the third and lowest level is a distributed implementation of 
the arbiter, describing in terms of messages and local process variables the protocol 
individual processors must follow. 

It soon became apparent, however, that traditional models and proof techniques (see 

[OG76], [LS84b], and [Hoa85], for example) are not adequate to describe interesting 

aspects of the problem statement, algorithm, and correctness proofs. In particular, 

while the problem seems most naturally formulated in terms of the game-theoretic 

interaction between the users of the arbiter and the arbiter itself, these models require 

that the problem be formulated in terms of system states, and do not capture this 

game-theoretic aspect of the problem in a natural way. Furthermore, the interaction 

between the users and the arbiter clearly distinguishes the arbiter's input actions from 

Its output actions. Input to the arbiter (a request for the resource) can occur at any 

time, regardless of whether the arbiter is in a position to grant the resource. Output 

(the granting of requests) occurs only under the control of the arbiter. This notion 

of control, the notion that one system component may completely determine when a 

particular action is performed, is not easily expressed in these models. We note that 

satisfaction of the no lockout condition requires that the arbiter be given "fair turns" 

to produce output, rather than simply being overwhelmed by a flood of input. The 

ability to express this notion of "fair turns" depends heavily on the ability to express 

the notion of one process controlling the performance of an action. 

We were therefore led to the development of a new model of distributed compu- 
tation in asynchronous systems, the input-output automaton. This model is based on 
(possibly infinite-state) nondeterministic automata. Automaton transitions are labeled 
with the names of process actions they represent. These actions are partitioned into 
sets of iiiput and output actions, as well as internal actions representing internal pro- 
cess actions. Input actions have the unique property of being enabled from every state; 
that IS, for every input action there is a transition labeled with this action from every 
state. In other words, the system must be able to accept any input at any time. Thus, 

^Informally, prop«rtiea required of a program can be partitioned into safety propertie* and Uveneis 
properties. A safety property (such u mutual exclusion [Dij65]) says that nothing 'bad" will ever hap- 
pen, and a Uveness property (such as termination) says that something -good" will eventually happen 
Alternatively, safety properties describe aUowed behavior, and Uveness properties describe required be- 
havior. Alpem and Schneider give formal definitions of safety and liveness in [ASSel in terms of Buchi 
automata. 



a very strong distinction u. made between actions locally-controUed by the system (out- 

Hnn^ Jt T^v. T^ and actions controlled by the system's external environment 

m n^' ^^'''''''<>^ <^^Pt^re« the gam^stheoretic interaction between the 

flatrch I'-.TT""* '"'*^'^ '° "^°"^' ""^ «'^«' °- ^-^-^ -^ event-driven 
flavor characteristic of many asynchronous distributed algorithms. 

In order to construct models of complex systems from models of simpler system 
components we define a simple notion of automaton composition. Loosely speaking, 
the composition of a collection of automata is their Cartesian product, with a state of 
the composition bemg a tuple of states from the component automata, one from each 
component. In order to model communication, we require that automata synchronize 
the performance of common (shared) actions. If t is an output action of A and an 

fror>rt °« w ;v .*" r'^^^"^"'" °^ "" ^y ^°'^ '^^*°^»*» ^°<i«'»» communication 
from A to B. With simple syntactic restrictions on the composition of automata, we 
ensure that composition preserves the notion of control mentioned above: No system 
component may block the performance of an output action by any other component. 

Since automata ^e able to receive every input in every state, it is possible for an 
automaton to be flooded with input without having the opportunity to perform actions 
required m response to the input received. The satisfaction of most interesting livenes. 
conditions however, requires that this does not happen. The notion of fair computation 
therefore plays a fundamental role in our model. Informally, a computation of a system 
« said to be f^ if every system component is always eventually given the chance to 
laKe a step. Since an automaton may model an entire system as well as a single 
system component, it is necessary to retain certain information about the structure of 
the system bemg modeled. In particular, it is necessary to retain information about 
which actions are controlled by the same system component. With this information it is 
possible to determme from a given system behavior whether each system component has 
been given the chance to make computational progress infinitely often. We therefore 
associate with every automaton a partition of its locally-controlled actions (i.e., its 
mternal and output actions). The interpretation of this partition is that each class 
consists of the locally-controlled actions of one system component. With thb partition 
we are able to define a simple notion of fair computation in our model. 

Smce our model concentrates on the input-output interaction between a system 
and Its environment (rather than system states), our notion of a problem to be solved 
is a collection of system behaviors (sequences of input and output actions) considered 
acceptable (rather than conditions on system states). An automaton may be considered 
a solution to such a problem if every behavior exhibited by the automaton is contained 
in this set of acceptable behaviors. The automaton solves the problem in the sense 
that any correctness condition satisfied by each behavior in this set is satisfied by each 
behavior of the automaton. As previously mentioned, however, fair computation is 
crucial to the satisfaction of most interesting liveness conditions. We therefore require 
only that the fair behaviors of an automaton solving the problem be contained in the 



set of acceptable behaviors. We note that it is eaay to fall into trivial correctness 
definitions, allowing trivial or uninteresting solutions to a problem. Our condition 
that an automaton be required to accept any input in any state, together with our 
notion of fairness, avoids this problem. The requirement that input be constantly 
enabled ensures that our solutions are able to respond to all patterns of input. The 
use of fairness ensures that the correctness of an solution will be judged only by those 
behaviors in which the system is actually given the chance to make progress. 

Our simple correctness condition, the requirement that the fair behaviors of an 
automaton be contained in some set of acceptable behaviors, is not a new style of cor- 
rectness conditions. It can be found, for instance, in the work of Lynch and Fischer 
in [LF81], and is similar to Hoare's notion of specification satisfaction in [Hoa85]. The 
simplicity of such correctness conditions do, however, lend a uniform structure to cor- 
rectness proofs in our model. Recall that our notion of a well-structured correctness 
proof involves a sequence of models Mi, . . . , M„, each modeling an algorithm at succes- 
sively lower levels of detail. The proof of the algorithm's correctness involves showing 
that each model "simulates" the previous model in the sequence. That is, that the set 
of (fair) behaviors exhibited by A4. are contained in the set of (fair) behaviors exhibited 
by Mi.x. In this sense, each model Afi_i deterniines a problem that the model Af.- is 
required to satisfy. The problem of showing that M. "simulates" Af._i is therefore the 
problem of showing that M, solves the problem determined by M,_i. As an aid in doing 
so, we develop the notion of possibilities mappings that enable us to relate behaviors of 
one automaton to another. 

We note that our model may be considered a special case of other models such as 
Milner's CCS and Hoare's CSP (see [Mil80] and [Hoa85]). Neither of these models, 
however, is entirely suitable for our purposes. In the first place, although Milner has 
found them to be mathematically superfluous in CCS, we find the notion of a process 
state a convenient descriptive tool when describing algorithms. More important, how- 
ever, is the fact that fairness is difficult to express in CCS. Notions of fairness that 
have been studied in connection with CCS can be classified as either weak fairness or 
strong fairness (see [CS84], [Par85|, and [Fra86]). Weak fairness requires that if an 
action IT 18 continuously enabled, then it must be performed infinitely often. Strong 
fairness, on the other hand, requires that jt be performed infinitely often even if it is 
enabled only infinitely often. These notions of fairness, however, are not satisfactory in 
event-driven systems. In such a system, for example, a process is always able to accept 
interrupts, but should not be required to interrupt itself unless some external source 
requests the interrupt. The problem is again the notion of control discussed above. 
There is no notion in CCS of an interface between processes from which we can deduce 
which which process controls the performance of a given action. By making a clear 
distinction between input and output actions, and by restricting ourselves to a simple 
notion of composition, we find that fairness is very simple to describe in our model. 

Similar comments can also be made for CSP with respect to fairness (see [KdR83|, 



[Rex84], and [FraSe]). In fact, CSP further complicates the problem by identifying 

'J^IZ Ta^'^'H °'^r '^^^'^ "" ^"'** ^*^^^^°" °^ *h« P^'x^- Since it if 
impoesible to deduce the mfinite behavior of a process from its finite behaviors, CSP 

precludes the study of infinitary properties such as fairness without extending the 
semantics of a CSP process. «yi.i.c"umg me 

We note further that the complexity of the operations defined in CSP dooms the 
anguage to a complex semantics, making reasoning about systems of processes unin- 

that Hn?r\'^ rr°'f; ^'^^^ ^"'^^" '^" ^^«' °f «°"«'» ^^^ [H°^5], it seems 
hat Hoarehimsetf would prefer to retain for nondeterministic processes the automata- 
theoretic (trace-theoretic') semantics he develops for deterministic processes. However, 
the first nondeterministic operation introduced by Hoare is the nondeterministic OR n 
tTn^S ° n '^T^'^^K *7<> Pro<=««^ ^ and Q to form a process P n Q that nonde^ 
termmistically chooses (itself) to behave either like P or <?. A second operation, D 

' wk"^o^^u v^ *° ^°"° * P'°^^ ^°^ *"°^^^8 the environment to determine 
whether Png behav^ like P or Q. Both Png and POQ have the same traces (since 
each behaves either like P or Q), but diflFer subtly in the fact that the environment 
has no control or knowledge of the choice PnQ makes between P and Q. Thus it is 
possible for P HQ and PDQ to be placed in an enviromnent offering an action V as 
input causing PnQ to deadlock while PDQ does not. This forces Hoare to make his 
farst break from the trace-theoretic semantics of deterministic processes and define the 
notion of a refusal a set of actions a process might refuse to perform. In our model 
however, due to the unique properly of input actions, a process will not block if its' 
environment offers n as input. Thus, by suitably restricting our model, we are able to 
retam the mtuitive, mathematically-tractable semantics of automata. 

We note that there are systems of processes that can not be expressed in our model 
Clearly, one such example is a system in which one process can block the progress of 
aiiother as m CSP. These omissions, however, are the result of deliberate diisions, 
since, for example, it would be easy to define a notion of composition that allows us 
to express the process blocking of CSP. The simplicity of our model and its ease of use 
are the resist of a careful limitation of its scope. Our experience has been that our 
model IS sufficiently general to allow description of a significant number of interesting 
systems. We note that our model has already been found expressive enough to de- 
scribe work m network algorithms (see [LLW87] and the third chapter of this thesis) 
concurrency control algorithms (see [LM86], [HLMW87], [FLMW87], and [GL871). mu- 
tual exclusion algorithms (see [Wel87]), hardware register algorithms (see [Blo87 , and 
dataflow computation (see [Lyn86]). Furthermore, in many of these papers our model 
has been found to be extremely useful when identifying the interface between system 
components, and discovering a system's natural decomposition. 

Just as popular models of computation do not seem appropriate for our work 
popular proof techniques also seem inappropriate. For example, "Hoare logics" are 
'A trace is a sequence of actioM performed by a system or process. 
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a well-known method for proving that programs satisfy partial correctness assertions 
Loosely speakmg, a partial correctness assertion is a statement about the behavior of a 
termmatmg program. A program is said to satisfy such an assertion if it is satisfied by 
every termmatmg execution of the program. Therefore, a partial correctness assertion 
says nothmg about program termination, but describes what will be true if and when 
the program halts. Hoare describes in [Hoa69] a method for proving that sequential 
programs satisfy partial correctness assertions. His method makes use of the observa. 
tion, first noted by Floyd in [Flo67], that partial correctness assertions satisfied by a 
program 5 can be expressed in terms of predicates P and Q describing the program 
state before and after the execution of S. More formally, if P and (? are assertions 
about program variables and 5 is a program statement, P{S}Q denotes the assertion 
that If P IS true before the execution of S begins, then Q will be true if and when 5 
termmates. Given a few simple axioms, Hoare shows how to derive partial correctness 
assertions P{S}Q for arbitrary programs S. In the first step of the derivation, each 
statement S^ of 5 is annotated with assertions Pi and g.. In the second step, each 
assertion P,{5.}Q, is proven using axioms describing the various programming lan- 
guage constructs. Finally, general rules of inference (independent of any programming 
language) are used to combine these assertions into a proof of P{S}Q. 

Hoare's method has proven to be a very eflFective method of verifying sequential 
programs. Most interestingly, it is possible to write hierarchical correctness proofs 
Each program module S can be specified by a partial correctness assertion P{S}Q 
Having proven each assertion P{S}Q, these assertions can be used in the proof of 
the larger program without reference to the implementation of 5. Furthermore, since 
reasoning begins with a collection of partial correctness assertions characterizing pro- 
gram behavior and proceeds via rules of inference, this process can be automated if 
programmers are willing to supply certain intermediate assertions. Compilers for the 
language Euclid, for example, attempt to construct as much of the proof as possible 
(see [LGH 78]). Apt has written a comprehensive survey of Hoare logics in [AptSll 
and [Apt84]. i *- j 

In [OG76], Owicki and Gries extend Hoare's method to distributed and parallel pro- 
grams. Here, too, each statement 5, of each process S is annotated with assertions P. 
and g., and partial correctness assertions P{5}g» are proven for each process 5 in 
isolation usmg a sequential programming logic similar to Hoare's. Unlike sequential al- 
gorithms, however, it is possible for one process action to affect the state of another. In 
order to prove partial correctness of an entire system of process, it is necessary to prove 
that no process can invalidate assertions appearing in the sequential proof of another 
process's partial correctness. Owicki and Gries refer to this condition as noninterfer- 
ence. For example, if P{S}Q appears in the proof of one process and the assertion R 
labels one statement appearing in another process, noninterference requires that the 
assertion (P A R){S}{Q A R) hold ; that is, the execution of S does not invalidate R. 

^Owicki and Gries actually use the notation {P}S{Q}. 



leth^ W K r i u^''"" ^"" ^""^ ^^'^^^ *° ^'^ ^^^*« successful, just as Hoare's 
method has been found to be successful for sequential programs. Gries has constructed 
a nice proof of Dgkstra's on-the-fly garbage collector in [Gri77], an algorithm wi h such 
fine mterleavmg that the only atomic action required ii memory reference. Levkt ^d 
Ones show m LG81] how the method of Owicki and Gries can be used to verify ctp 
processes. Furthermore. Schlichting and Schneider show in [SS84] how message passing 
primitives can be mcorporated into this framework. «hs i' «s 

As with sequential programs, the partial correctness of systems may be specified 
with partial correctness assertions of the form P{S}Q. Due to the possibility of process 
interference, however, it u, not possible to specify the partial correctness of individual 
processes m terms of such assertions. The specification of a process must also describe 
Its environment if such assertions are to be used. Without a description of its en- 
vironment, it IS impossible to prove that a process satisfies most partial correctness 
assertions. Furthermore, modification of a single process requires redoing a major por- 
tion of a system s proof of correctness since it must be shown that this modification 
does not violate partial correctness assertions appearing in the correctness proofs of 
other processes. Thus, both specifications and correctness proofs using partial correct- 
ness assertions of the form P{S}Q lack an important modularity. We consider this 
lack of modularity to be a major problem in protocol verification. 

rpnir^tr ^"'^l^*' orlT^'^" *^^ ^^^ °^ modularity in [LamSO]. Here Lamport 
redefines the assertion P{S}Q to mean that if execution is begun aLywhere inside 5 
with P true, then executmg 5 will leave P true while control is inside 5, and will 
Te^w!?!,' "!?• ^^""^ f *«"^i«»te8. Such a definition is possible for Lamport since 
he^lows the predicates P and Q to refer to program locations, whereas Owicki and 
Gries restricted P and Q to program variables. The advantage of Lamport's scheme 
IS that partial correctness assertions for an entire system can be verified given partial 
correctness assertions specifying each system component. After system correctnL has 
been proven from component specifications, any implementation of the components 
' .K ^V ^P^^fi<=*t'°^ <=^ be used m the system's implementation. Lamport's 
me hod, however, is not without its difficulties. For example, suppose that 5 is a 
system component making heavy use of shared variables. It seems difficult to construct 
assertions P that are invariant throughout the execution of S without knowing how S 
uses these shared variables. 

lii our method, the problem of modular specification disappears since an environ- 
ment is imphcitfy specified by the fact that input actions are continuously enabled. (In 
other words, anything can happen in the environment of a process.) As a result if 
a partial correctness assertion can be proven about process behavior, the partial cor- 
rectnew assertion holds regardless of the process's actual environment. Thus in our 
method It IS no longer necessary to prove noninterference after proving the correctness 
of mdividual processes. Furthermore, it is no longer necessary to redo any part of a 
correctness proof when a process is modified, other than the correctness of the mod- 
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our model of comoutation Tl, „ k-i . Hoare-IJi. systena are clearly valid in 

work, i. ,-. pZZ.TZ.^^^nJ'Jln "V '^' "" °' ""^ "'^«"" " °« 
our model. «■>»*"■« Hoare-Iike proofs of partial correctne.. usertions in 

there is no notTon of :vtn"u^.v wTno ^7 r""""*"°° '" *"' "oare logic, 
prove livenes. orooertrr P ' """*""" •'^"V P">pertie. can often be used to 

programs. Abern and S^h^.r^- . !^ -^ ,' '"^'"^ *" P""" termination of 
of both live^^ L safftv ?ro.Irf t " 'j"*"'' ""^ '^"^ """ »>" verification 

partial corrito^ Jstttn. T '"-' "" '" '"°™* "*"" "' """"^''' 

.rm. Of partial- r=1err-fl^: ^^^Z^:;^^ — '« 

por^ Sg[: ::rtrX::^'brpn::j; rrPniTrrj^-'^ai' 1'^''"^^ ■-'=• "- 

logic suitable for reaaoninr.W ' ^ ^ ^ adaptation of claaaical modal 

todamental tLZf 7 V"*" "^""P"""'"- » « >«.u«nce of system states. The 
lundMnental temporal operators are the unary operator D and its dual <:> J.^, 

L'ttThr^XuTth™ "'"'"•'''' '^''"'"^ °''- •>-»--^^^ 

prlTuIcr.^ uVr"'"":Sra^''„ST'''T. '^"'«'' "" -''-">" O^- 
+r»- \4 • . . ' '^ * P°"^* during the computation at which P ;« 

°he prop"rt^0^t^r' '"' "'''""'" °(^ => <>«) "»'" ">»» 'he property P caus^ 
the^roperty <J to hold; the express-on OOP states that the property P holi infinitely 

Temporal logic is a useful abstraction with which to specify and reason about pro- 
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gram behavior. Since the meaning of a computation is a segu.nce of states, temporal 
logic IS able to express liveness properties as well as safety properties, and these ex- 
pressions are typically quite concise. Since reasoning in temporal logic begins with a 
collection of axioms characterizing program behavior, and proceeds via general rules of 
mference, reasonmg m temporal logic has potential for automation. Furthermore, while 
Hoare logics make use of inference rules that are independent of any programming lan- 
guage, most of the work in a Hoar^style proof deals with language-specific semantics. 
In contrast, reasoning m temporal logic is valid for all programs. The difficulty, of 
course « m abstracting from an implementation to a temporal logic characterization 
of Its behavior, and this problem is often swept under the rug. 

A great deal of work in temporal logic concerns reasoning about system correctness 
after system components have been specified in terms of temporal logic fsee for ex- 
ample [HO80], [SM81], [OL82], [Lam83l, [Sta84] and [NG085]). The'mcit dr^aUc 
distmction between these works is the way in which temporal logic is used to describe 
system behavior^ Schwartz and Melliar-Smith give purely temporal specifications of 
programs m [SM81]. In these specifications, even the notion of a process state has been 
replaced by temporal specifications. Consequently, the resulting specifications are quite 
complex, involving nested "until" operators in addition to the temporal operatoi^ de- 
scribed above. Th^e specifications are often difficult to understand, and difficult to 
reason about. On the other hand, Hailpern and Owicki make great use of the notion of 
program state m [HO80]. They add history variahUs to the program state that describe 
the history of events over communication links, and reason about the values assumed 
by these variables History variables are a convenient descriptive tool found in many 
proof styles, and the specifications produced by Hailpern and Owicki are generally easy 
to understand. The history variables, however, do not aflFect program behavior, and in 
proofs reasonmg about history variables the history variables themselves seem extrane- 
ous. Between the extremes of [SM81| and [H080] is the work of Lamport in [Lam83]. 
Here the process state modeled consists only of program variables, and temporal logic 
assertions describe the sequence of values these variable assume. Although an automa. 
ton state can be seen as a natural extension of history variables, our proofs tend to 
have a flavor similar to those of Lamport's in [Lam83]. 

While a great deal of work has studied the problem of reasoning about systems after 
system components have been specified in terms of temporal logic, less has been devoted 
to provmg that an implementation actually meets its temporal logic specification. One 
attempt 18 that of Owicki and Lamport in [OL82], improving on the work of Lamport 
in [Lam77J. Smce safety properties can be proven using methods of Owicki and Gries 
of particular interest is the style of proving liveness properties Owicki and Lamport 
describe. Owicki and Lamport construct diagrams called proof lattices that outline the 
structure of a proof of a liveness property. Informally, a proof lattice is an acyclic 
directed graph with a single trUry node having no incoming edges, and a single exit 
node havmg no outgoing edges. Nodes of the graph are labeled with assertions A 
node labeled A with outgoing edges to nodes labeled Ai, . . . , A„ denotes the assertion 



14 



that if A holda, then one of the aasertions Ai,...,An must eventually hold; that is 
A D Q(Ai V ... V An). Suppose each such assertion can be proven for a program. If the 
entry node is labeled with A and the exit with B, then the proof lattice amounts to a 
proof of the hveness property A D OB for the program. Manna and Pnueli extend the 
use of proof lattices in [MP84]. In this work, however, an automata-theoretic model 
of computation is explicitly defined, and proof rules are given for proving that each 
assertion denoted by edges of the proof lattice is satisfied by the system modeled by 
an automaton. We find this work a very satisfying example of how an automatar 
theoretic model of computation and temporal logic can be used together. Given an 
automata-theoretic description of system implementation, temporal logic provides a 
useful abstraction for reasoning about system behavior. While we have not fixed on 
one particular specification language, we feel that temporal logic and our automatar 
theoretic model of computation can work well together. In particular, through the 
use of automata we are able to incorporate temporal logic into hierarchical correctness 
proofs. 

The use of abstraction is an important aspect of our style of algorithm verification. 
Most work m the literature claiming to produce proofs with a hierarchical structure 
actually allow system components to be verified independently, and then combined 
to verify the correctness of the system. This notion of hierarchical verification is a 
rMtricted version of the notion we use in this work. Here we actually construct models 
of the entire system at conceptually different levels of abstraction, rather than merely 
combining local process states into global system states. 

Our work most closely resembles that of Lamport in [Lam83]. Here Lamport spec- 
ifies a program with a collection of state functions mapping program states into sets of 
values, a collection of initial conditions essentially defining the set of states in which 
the system may begin computation, and a collection of properties describing safety and 
hveness conditions. We note that the values to which states are mapped by state func- 
tions can be thought of as state variables describing relevant aspects of the system to be 
implemented. Furthermore, the properties included in the system specification define 
allowed and required changes in the values these variables assume. If these variables 
are collected into states, then the variables together with the properties essentially de- 
fine an automaton together with a collection of eventuality conditions restricting the 
computations of the automaton. If the program implementing the specified system is 
considered to be an automaton, as is implicitly the case in Lamport's work, then the 
state functions can be thought of as mappings from an automaton describing the sys- 
tem at one level of abstraction to an automaton describing the system at a higher level 
of abstraction. This is the technique used in our work. Our work is an improvement 
on that of Lamport's in the sense that we carry his style of specifications to its natural 
conclusion, making the automatartheoretic flavor of his work explicit. Furthermore, 
we make explicit his underlying assumption that what is important about a process 
is the externally observable behavior of the process. His work seems to imply that 
the variables and state functions must be describing some aspect of the system that 

15 



must appear m the implementation. We feel, however, that they are to be considered 
merely descriptive tools, and that the notion of subset containment used as the notion 
of correctness in this work is the notion of correctness actually underlying Lamport's 
worK* 

other work similar to ours is that of Stark in [Sta84]. Many of the aims and ideas 
underlying hu. work are the same as ours, but his model is much more general than 
ours. We find our model to be simpler and eaaier to use than Stark's, and expressive 
enough to describe most systems of interest. Work on hierarchical verification also 
"""J w^ I ^^ ?Ir\T ^^ ^^^"^ ^ t^^^^^Jj Harel m [Har87]; and Lamport, Lynch, 
and Welch m (LLW87]. Each of these techniques analyzes an algorithm by abstracting 
away certam portions of the algorithm (rather than mapping to an entirely different 
level of conceptual abstraction as we do here) and studying the remaining "image" of 
the original algorithm. To Lam and Shankar, the advantage of this method seems to 
be that It allows highly interdependent modules of a system to be studied in isolation 
Lamport, Lynch, and Welch seem to be taking this notion of "projection" one step 
further They show how projections onto different modules can be combined into a 
proof of the entire system, giving the proof a lattice-like structure. While still work 
in progress their work seems to be shedding new light on the intellectual organization 
of protocol verification. The progress being made in their research can certainly be 
incorporated into ours. 

The remainder of this thesis consists of two parts. First, in Chapter 2, we formally 
define our model of computation and develop the machinery needed to use our model 
in the coMtruction of hierarchical correctness proofs. Then, in Chapter 3, we illustrate 
the use of our model by proving the correctness of Schonhage's distributed resource 
^biter. Fmally, in Chapter 4, we end with some concluding remarks, including some 
ideas for future work. 
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Chapter 2 

The Input-Output Automaton 
Model 



^thiB chapter we define the input-output automaton model. We begin with a formal 
definition of an mput-output automaton, and define operations that ma^ be perfoTed 
c^ b?mo?; TT' *'' composition of automata. We then show howli^^ 
alLT t . '"*°°'^*^- ^^^^"^' "" ^«^«'^P *h« ^^hinery necessary to^ 

algorTt W ^°^^^^^^'°^ °^ -°^"^-' ^--hical correctness pr^fs for dlllribuS 

2.1 Input-Output Automata 

Having informally described our model in the introduction, we now formally define 

between an automaton and its environment, it is convenient to be able to refer to 
nte "altr "^P^'"*'^:.^^ ^^^ ^^^^^^ -ts in, out, and irU of input, output Jd 
wldeno^ r* r^^^^^^^y' ^f -^«^ *° '^^ *"Ple («>»> -*, 'W) as an action sigLr^re S. 
ZoteT . ? 7'' ""^ '"* ^^ '"(^^' °"*(^)' '^'^ •'»*(^)' respectively; and we 
interi . t >' "^ ''!""' *" ^ '^"^ ^ '"^ ^^ '''=*^(^)- Si-e .>U is the set of 

by ext{S). Fmally, we denote the set int U out of locally-controlled actions by local{S). 
An input-output automaton (or auiomoion) A consists of five components: 

1. a set states {A) of states, 

2. a set start {A) C a<ai«a(A) of start states, 

3. an action signature 8ig{A), 
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4. a transition relation steps{A) C states{A) x aetsisig{A)) x states{A), with the 
property that for every state a and input action ir there is a transition (a,7r,a') 
in 8tep8{A), and v » > ; 

5. an equivalence relation part{A) on local {at g (A)). 

Notice that the transition relation sUp9{A) has the property that input actions are 
continuously enabled, as mentioned in the introduction. Notice, also, that the equiva- 
lence relation part {A) is the partition of the locally-controlled actions alluded to in the 
introduction. This partition will be used when we define the notion of fair computation 
in Section 2.2. 

We refer to an element (a, tt, a') of atepsiA) as a r-atep from a to a'. It will occasion- 
aJly be convenient^to denote the step (a, t, a') by a A a', and to denote the sequence of 
steps oo -V ai . . . -A o„ by oo '^'» a„. The step (a,7r,a') is called an input atep if ^ is 
aji input action, and output atepa, internal atepa, external atepa, and locally-controlled 
stepa are similarly defined. If (a,,r.a') is a step of A, then ^ is said to be enabled 
from a. Since every input action is enabled from every state, automata are said to be 
mput-erMbled. 

An execution fragment of A is a finite sequence OoTiai . . . T^a* or infinite sequence 
aojrioijrjaj ... of alternating states and actions such that (a<,7r.+i,a,+i) is a step of A 
for every i. An execution fragment beginning with a start state is called an execution. 
We denote the set of executions of A by execa{A). A state is said to be reachable if it is 
the final state of a finite execution. The achedule of an execution x is the subsequence 
of actions appearing in x, denoted by ached{x). We denote the set of schedules of A by 
acheda[A). ' 

We will soon consider certain subsets of an automaton's executions or schedules 
(such as the set of fair computations) to be of particular interest. Since we wUl com- 
pose automata, it will be necessary to have ways of composing sets of executions or 
schedules as well. If these compositions are to be meaningfully related, however, cer- 
tain mformation about the structure of the original automata must be retained. In 
particular, it is important to retain information about the action signatures of these 
automata. We are therefore led to define the notions of execution modules and sched- 
ule modules, essentially sets of executions or schedules, respectively, together with an 
action signature. 

An execution module E consists of a set atatea{E) of states, an action signature 
8%g{E), and a set execa{E) of executions. Each execution of £ is an alternating sequence 
of states and actions of E beginning with a state, and ending with a state if the 
sequence is finite. Each execution z has an associated schedule ached{x) that consists 
of the subsequence of actions appearing in x. We denote the set of schedules of E by 
acheda [E). An execution module E is said to be an execution module of an automaton A 
if E and A have the same states, the same action signature, and the executions of E 
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are contained in the executions of A. Notice that an execution module E is always 
an execution module of some automaton. In particular, i; is an execution module 
of the automaton having the states and action signature of E, and the transition 
relation states{EU acU{sigiE)) x staUs[E). We denote the ;xecution moZe of 
the automaton A havmg txtca{A) as its set of executions by EztcaiA). (We follow 
th^c^nvention of denoting sets with lower case names and modules Uh iapitaliied 



.rhL(^^'t rf'^'' i ""T^^^ °^ ^ ^*^°" ^^fSc^^tMTe sig{S) together with a set 
sch^[S) of schedules. Each schedule of 5 is a finite or infinite sequence of the actions 

withV ''^'^ r '^r.u °'' °'°'^^^' ^' '^"'" ^ ^ "**^^^^ «*=^«d^l« "^^d'^ie associated 

module by Scheds{E), and write Schtds{A) as shorthand for 5c/i«fe(^x«:«{A)). 

ob.^U tfr. ""T^'^^Jy t° ^"tomata. execution modules, and schedule modules as 
or !^W . ""^f^ ^l'^' determining whether it is an automaton, execution module, 
referent? T r' ^" "°*"*"""^ convenience, given an object O we often omi 
reference to its action signature and write, for example, m(0) for m{sig{0)). 

Since it is typically the case that more than one automaton can model the same 
proems, some notion of equivalence is needed. Intuitively, the external observer of a 

oerfoT^in r\^ '''"T' ^°' ^**""^ ^^^ ^^''^^ °^ly *he sequence of actions 

performed by the process. In fact, the only actions detectable by such an observer 
are the external actions of the process. We are therefore led to define Tnot^Hf 
equivalence determined by the externally visible sequences of actions produced by ^ 
object. Smce we will consider in Section 2.2.2 a second notion of equivalence based on 
the fair behavior of an object, we refer the the current notion of equivalence as unfair 



We begm by defining an operation that essentially extracts the externally visible 
behavior of an object. An cxternai action signature is an action signature consisting 
en irely of external actions; that is, having no internal actions. The eternal action sig 
nature of an object O is the action signature obtained by removing the internal actio^ 
from the action signature of O. An tzternd schedule module is a schedule module with 
an external action signature. Given a sequence y of actions and a set H of actions, we 
denote by y|n the subsequence of y consisting of actions from H. The external schedule 
module of an object O, denoted by External{0), is the external schedule module with 
the eternal action signature of O and the schedules {y\ext{0) : y € schedaiO)} ob- 
tained by removing the internal actions from the schedules of O. We define the unfair 
behavior of O, denoted by Uheh{0), to be the external schedule module Externai{0). 
ujr °^^^^ O and P of the same type are said to be unfairly equivalent, denoted by 
^ ~ ^n ^ ^f^^^^ " Ubeh{P). This equivalence is clearly an equivalence relation, 
and we will see that it is also a congruence with respect to the operations we now define 
on obiects. 
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2.1.1 Composition 

To build modelfl of complex systems, we compose models of simpler system components 
In this section we show how to compose objects to construct such models. 

Composition of Automata 

Informally, the composition of a collection of automata is their Cartesian product, with 
the added requirement that automata synchronize the performance of shared actions 
That IS, each automaton is allowed to take steps independently, with the restriction 
that If one automaton takes a jr-step, then all automata sharing ^ as an action must 
also take a jr-step. This synchronization models communication between system com- 
ponents: If TT IS an output action of A and an input action of B, then the simultaneous 
performance of ir models communication from A to B. Since synchronization is meant 
only to model communication, however, two automata sharing tt as an output action 
should not be required to perform tt simultaneously. We note that two processors 
cannot be expected to perform an output action simultaneously in an asynchronous 
system. Rather than complicate the notion of composition, we require instead that the 
output actions of composed automata be disjoint. Since internal actions are meant to 
model externally undetectable actions, we are faced with the need for a similar restric 
tion for mternal actions. We require that the internal actions of each automaton in a 
composition be disjoint from the actions of the remaining automata. 

Having restricted the composition of automata to those with suitably compatible 
Mtion signatures, determining the type of an action in a composition is fairly simple- 
Output actions of the component automata become output actions of the composition, 
mternal actions of component automata become internal actions of the composition 
aiid all remaming (input) actions of the component automata become input actions of 
the composition. Notice that the composition of automata does not hide communication 
between component automata. To hide such communication will require the use of a 
hiding operation defined later in Section 2.1.2. 

Finally, recall that associated with every automaton (in particular, with a compo- 
sition of automata) is a partition of its locally-controlled actions. Our intuitive under- 
standmg of this partition is that each class represents the locally-controlled actions of 
one system component. A natural partition of a composition's locally-controlled actions 
18 to place the locally-controlled actions of each component automaton in a separate 
class. Since the restrictions we impose on the composition of automata ensure that 
the locally-controlled actions of the component automata are disjoint, this is indeed 
a partition. However, each component automaton may model many system compo- 
nents. We therefore partition a composition's locally-controlled actions by taking each 
class of each component automaton as a separate class of the composition's partition. 
That is, the partition of a composition's locally-controlled actions is the union of its 
components' partitions. 
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hv 7l "" * ^^^ °'' *° ^"'"^^^y ^*^^* *^" composition of automata. We begin 

by definmg a composition of action signatures. Previous discussion suggests that the 
action signatures {5, : i e 1} be called compatible if for all i,j e I we W 

1. out{Si) n outiSi) = 0, and 

2. m<(5,) n act8{Sj) = 0. 

In general, we say that the objects {O, : i e 1} are compatible if their action signs, 
t^es are -mpai^ble^ The composition 5 = n.,/5, of compatible action signatures 
l-Si . t € i> IS defined to be the action signature with 

1. in{S) = U in{Si) - U out (5.), 

2. out (5) = U out (5,), and 

3. int{S) = U int{Si). 

Notice that this composition is commutative and associative. 

The composition A = Ui^, A, of compatible automata {A : » € /} is defined to be 
the automaton with 

1. «tote«(A) = n states {Ai), 

iei 

2. start (A) = fl »iart(A«), 

»e/ 

3. sig{A) = n «y(^), 

»e/ 

4. part {A) = \J port (A.), and 

5. «tep«(A) equal to the set of triples ({a.} , r, {<}) such that for all » e / 

(a) if JT 6 aets{Ai) then (a,, jt.oI) € «tep«(A.), and 

(b) if JT ^ aets{Ai) then a, = aj. 

Notice that since the automata A, are input-enabled, so is their composition, and hence 
their composition is an automaton. When / is a finite set {1, . . . , n}, we will frequently 
denote the composition 0. ^ by Ai ..... A„. 

As a simple example of automaton composition, consider the two automata A and B 
shown at the top of Figure 2.1, and their composition A • B shown at the bottom of the 
same figure. (A caret points to the single initial state of each automaton.) The action a 
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Figure 2.1: An example of automaton composition. 



18 an output action of A and an input action of B, and the action /3 is an output action 
of B and and input action of A. Notice that since each waits for the other to take an 
output step before taking an output step itself, the automata A and 5 alternate output 
steps m executions of the composition A • B. Notice, furthermore, that since a and /3 
are output actions of A and B, respectively, all actions of the composition A • B are 
output actions. Finally, notice that the partition of the composition's locally-controlled 
actions (m this case, the output actions) places o and /9 in separate equivalence classes. 
The composition of automata has two simple properties. First, an execution of a 
composition A = FI. A. always induces executions in the component automata A,. If 
a - {oi} is a state of A, let a|A, = o<. If i = oottiOx ... is an execution of A, let x| A, be 
the sequence obtained by deleting 5r,a, when jt, is not an action of A,, and replacing 
the remammg o, with a,|A,-. We now have the following: 

Lemma 1: If x 6 €xeca{Y[ A), then x|A. G txtc»{Ai) for all » € /. 

Proof: Let A = n. A.-, and suppose that x = OQinax .... By the definition of an 
execution, oo is a start state of A, and every triple (at_i,jr4,at) is a step of A. Two 
facts follow from the definition of the composition A. First, oolA^ must be a start state 
of A.-. Second, if tt* is an action of A< then (at_i|A», t*, at|A<) is a step of A,-. If ^r* is 
not an action of A, then a*_:|A.- = au\Ai. Thus, if x|A,- = soOxs^ . . ., then so is a start 
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.U^ of ^, ..d every triple (,,_.,„,,,,) i, ,,^p „f ^. therefore, x|A i- a„ execution 

D 
exefurr^ntT™^ """'? "S'"'""" " "^''"'"' of " "mpoeition i. induc«i by 

^:^nlit r™ ■ ^e"; 31?'°: °' ^°"''"'""' "'"'"'- ^' ^' ^' - 

t/lA - -^A,wr; Tf ', * ^ ^* * sequence of actions from the A. If 

:'^«*Xi^t!it:Jz;iie;':v5'" ' " «~'-"°" ' "' "-^ '-'^"-- 

!^U t -'.t^a"'^- '"'?°~."'»' » = -■"•••• Since „|4< = „A«((x,), w. can 

we c, Jrat'Y:.*:.;;«r: :?ip^7.^v:/r>xtciT ":^z-,^"r- 

^y = T,, for some k. It follows that a, AjL = at Lid a U - ^' • ^^' • 

Thna ^/. I ^ I ^ \ . "j-il-^ — a*-! ana a, A,- = al smce »t_i < j = u 

Thus, (a, i|A.-,T,.,a,|A,) « a step of A,. Conversely, suppose I ^ actsiA^ ThX 
»* < J < u+i, and it follows that a, ,|A = at - a U Tn -Tf^ «««*(A). Then 

a compoemon, .t » enough to re.«>n about the enabling of the action at on. componen" 
Corollary 3: Let » be a finite schedule of a compceition A = n..,A Let , h. . 

Srr;"'' ""°° " ^- ""^ '" v- = v.. If m i. a .chedu?r^fi;;. tw • : 

V -«*«/(») By Lemma 1, x|^,. i, an execution of X, for every j € /. Since ^ 1, a 

e"lr, It;.. ' "• mput^nabled, and since ^-jA i. a «J,edule of ^, for 

every j e / there « an execution x-^ of A, such that y-IA, = ..Wd-.). By Leima 2 
there - an execution V of >t such that y = .cWtx"), L hence y is' ak' ex^u^f j] 



O 
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Composition of Execution Modules 

We now define the composition of execution modules. Tlie composition E = U^rE 
of compatible execution modules {Ei : i € 1} is defined as follows. The states of E 
aje Uiei states{Ei), and the action signature is Uiei »i9{Ei). Given a state a = {«,} of 
the composition, we define s\E, = «,. Given a sequence x = s^i,,s, ... of states and 
actions of E we define x\Ei to be the sequence obtained by removing t,«, if n. is not 
an action of £,, and replacing the remaining s, by *, |i;... The executions of E are those 
sequences aoTi«i . . . such that for every » € / we have that x\Ei is an execution of Ei, 
and that 9j.i\Ei = s,|£. whenever t, is not an action of E.. The next lemma gives an 
alternative characterization of the composition of execution modules. 

Lemma 4: Let {£. : t e /} be a collection of compatible execution modules. Sup- 
pose Ei IS an execution module of an automaton M for every i € /. Then H^jEi is 
the execution module of n.e/ A with executions x such that xiA. is an execution oi Ei 
for every i G /. 

Proof: Let E = n.-E. and A = n. A.. Since E^ is an execution module of A,, it 
follows that Ei and A, have the same states and action signature, and hence so do ^ 
and A. We need only check that the executions of E are the executions x of A such 
that ijA, IS an execution of Ei. Suppose i is an execution of E. The execution x is 
a sequence 3o^i«i ... of states and actions of E such that x\Ei is an execution of Ei, 
and ay_i|£;. = 3y|£,. whenever ^, is not an action of Ei. Since Ei is an execution 
module of A., (ai-i|A.,^„s,|A,) is a step of A, whenever t, is an action of A,, and 
«>-i| A, - a, I A. whenever jt, is not an action of A,. It follows that x is an execution of A 
and furthermore that x| A. is an execution of Ei for every x 6 /. Conversely, suppose x 
IS an execution of A such that x|A, is an execution of Ei for every i 6 /. Clearly, x 
IS a sequence soifySx ... of states and actions of E such that x\Ei is an execution of i;. 
for every t € 7. Furthermore, from the definition of the composition of automata we 
see that 5y_i|i;. = aj\Ei whenever jr, is not an action of Ei. It follows that x is an 
execution of E, as desired. p 

This composition is defined so that the following result holds. 
Lemma 5: For all compatible automata {A, : » € /}, 

Extcs{J{Ai) = ^Extcs[Ai). 
iei iei 

Proof: Let A = n. A,. Furthermore, let EC = Execa{l[i ^) and CE = n. Exees{Ai). 
Notice that i;C is an execution module of A. Furthermore, since Exte8{Ai) is an 
execution module of Ai for every » e 7, Lemma 4 implies that CE is also an execution 
module of A. It follows that EC and CE have the same states and action signature. 
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«ecat.on of EC .ff x -an ««ution of A such that x|^ i. an ««ution of A for every 

Lie 1 :;„" "'"'**'°"' °' ''^^ '''■"'• ^'^ ""■ ^^ "-' *"' '-« «-«o-. »^ 

. D 

Composition of Schedule Modules 

Ttihr t^r, *^* ';r ^'^^^'^ °^ «=^«d^l« ^^^^^^' The composition n.,/ 5, of com- 

s?«^a urfn T?1''"i^^^ \V^'' '^'"^' *° '* '^* -^^*<*^1« modu^wilh action 

signature llieiSxg[S,) and schedules y such that y|5, is a schedule of 5, for every i e I 

Ihis composition is defined so that the following result holds. 

Lenuna 6: For all compatible execution modules {Ei : t G /}, 

Seheds(Y[Ei) = ]lSeheds{Ei). 

Prooft Let SC = SchedsiU^E,) and CS = U^Scheds{E,). Since SC and C5 clearly 
SnI* !-^ r"* ^ °° signatures, we need only show that they have the same schedules. 
Suppose f;- IS an execution module of an automaton A, for every i € J. Notice that y 
« a schedule of 5C iff y is the schedule of an execution x of R, E,. Lemma 4 impli^ 
this IS the case iff y is the schedule of an execution x of n, ^ such that x|i;, = x^isZ 
execution of ^, for every . G /. Lemma 2 implies thb is the case iff y\Ei is the schedule 

tLTr.T %' ^- f T *^* ^^^'^"^ °^ ''^^^^'^^J* °^°<i'^l« composition we see 

th« IS the case iff y is a schedule of CS. Thus, SC and CS have the same schedules 
and hence are equal. ^ 

In addition, we have the following. 

Lemma 7: For all compatible schedule modules {5, : t € /}, 

ExternaiiH ^0 = 11 External{Si). 

.^'°°u ^^\ ^ "P',^" ^*^ '*' ^^ = ExternaliUi 5.) and C£; = R. £;xferna/(5,). Since 
the schedule modules 5, are compatible, int{S,) n actsiS^) = for all i ^ j. That is, 

w^wt"" v**"*'""" °^^*** "'^^^"^^ "'^^^^^ ^* *^^j°^<^ fro°^ tl^e actions of the others. 
With this obser^tion, it follows from the definition of action signature composition 
tnat iiC and CE have the same action signature. We need only show they have the 
sanae schedul^ If y is a schedule of EC, then y = y'\ext{S) for some schedule y' 
If" ^',^"/l^^«^ ^ ^'^hed'^l* of 5,, y\External{S,) = y-] External {S,) is a schedule of 
lLxterruil{Si), and hence y is a schedule of CE. Conversely, suppose y is a schedule of 
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CE. Then y\Exttrnal{Si) = y,|ext{5.) for some schedule y,- of 5.-. Suppose y = jtittj . . .. 
Let us write y< = <4l3{a\ . . . where aj is a (possibly empty) sequence of internal actions 
of 5„ and 0) is tt,- if jr, is an external action of 5, and the empty string otherwise. Let 
y* = 7oTi7i . . . where 7, is an arbitrary interleaving of the actions appearing in the a'-. 
Then y* is a sequence of actions of S such that y'|5. = y< is a schedule of 5., so y* is a 
schedule of 5. Since y = y'|ext(5), y is a schedule of EC. D 

Lemmas 5, 6, and 7 can be summarized as follows. 

CoroUary 8: Let A denote the class of automata, £ denote the class of execution 
modules, and S denote the class of schedule modules. The following diagram commutes: 



Extes 



Schtds 



External 




One important consequence of Corollary 8 is the following result, which says that 
the (unfair) behavior of a composition is the composition of its components' (unfair) 
behaviors. 

Lemma 0: Ubeh{n Oi) = fl Ubeh{Oi) for all compatible objects {O. : i G />. 

It is now possible to see that composition satisfies a number of natural axioms. We 
note that the following result is an immediate consequence of the definition of schedule 
module composition. 

Lemma 10: Suppose S = n. S., T = n. li, U = R. Ui, and V = n. K where the 5., 
Ti, Ui, and Vi are schedule modules. 

1. ST = TS. 

2. {S-T)-U = S'{T-U). 

3. If 5 = r and U = V, then S U = T V whenever the compositions S -U and 
r ■ K are defined. 

As a consequence of Lemmas 9 and 10, we have the following. 
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J^TTV!; ^""^^T ^ =."• ^" ^ = n.^' Q = niQi, and iZ = n. i2. where 
the Oi, Pi, Qi, and /E, are objects. 

1. o-p""l'"p.o. 

2. (0P)Q""^'"'0.(P.Q). 

3. If O '"•4-> P and Q -"^''^ R, then O • Q ^^L^^' P • iZ whenever the compositionB 
O • Q and P • ie are defined. 

mT/' ^^^" *^** ^ ■ ^ ""~" ^ ■ ^ *^ *^* ^^^'^^^ schedule modules Ubeh{0 ■ P) and 
Ubeh{P . O) are equal. By Lemma 9 we see that Ubeh{0 ■ P) = Ubeh(0) • Ubeh(P) and 
^fteA(P . O) = C^6e/.(P) • Ubeh{0). However, Lemma 10 implies that these schedule 
modules are equal. Therefore, O • P ""^'"' P ■ O. The remaining parts are similar. D 

Conditions 1 and 2 say that composition is commutative and associative up to 
equivalence. Condition 3 says that composition is a almost congruence with respect to 
composition. However, since the external behavior of O and g contains no information 
about the mtemal actions of O and Q, their external behaviors do not determine 
whether they are compatible, and hence whether their composition is defined. Thus 
equivalence is not quite a congruence. We call an equivalence satisfying condition 3 a 
weak congruence. Notice that this weakness is due only to conflicting internal actions 
names, actions not affecting the external behavior of an object. In Section 2.1.3 we will 
see how to perform a syntactic renaming of internal action names to avoid this conflict 
without aflFecting the external behavior of the object. This is reminiscent of variable 
renaming to avoid conflict during substitution in predicate calculus. 

2.1.2 Action Hiding 

Recall that composition does not hide actions modeling interprocess communication: 
In particular, if t is an output action of A and an input action of B modeling com- 
munication from A to B, then ir becomes an (external) output action of AB. Since 
this communication is really internal to the system A • 5, we would like to be able to 
hide TT from external view, to transform tt into an internal action of AB. 

Given an object O and a set of actions E, we define the object Hidei:{0) to be the 
object differing from O only in that 

1. in{Hidez{0)) = in{0) - E, 

2. out{Hide'E{0)) = out{0) - E, and 

3. int{Hide^{0)) = int{0) U {aets{0) n E). 
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Since the hiding operation modifies only the action signature of an object (without 
modifying its executions or schedules), we have the following: 

Lemma 13: For all automata A, execution modules E, schedule modules 5, and sets 
of actions E, 

1. Exec8{Hidej:{A)) = HideY:{Exees{A)) 

2. Sehed8{Hides{E)) = Hidej:{Seheds(E)) 

3. ExtcrruU{HideT^{S)) = External {Hide^{External{S))) 

Proof: Parts 1 and 2 are immediate from the definition of the hiding operation. Part 3 
follows from the fact that y|(ex«(5) -E) = (y|ext(5))|(«xt(5) -E) for every schedule y. 

D 
As a corollary of Lemma 12, we have the following: 

CoroUary 13: Let A denote the class of automata, £ denote the class of execution 
modules, and S denote the class of schedule modules. The following diagram commutes: 




Suppose {O, : i € 1} are compatible objects, and consider their composition O. 
Suppose that jr is an action of O. not shared by O, for every » 7^ ;. Intuitively, if ir 
models some communication internal to the system component modeled by O,, then 
whether ir is hidden before or after forming the composition O should not affect the 
resulting object. This intuition is formalized in the following result. 
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Lemma 14: Ut {O, : <€/} be » collection of compatible object., and l.t{E< : i e 1} 

aei8(u,) n L,, IS empty, for all » 56 j we have 

out(0,)noui(Oy) = (ouf(0,)-E,)n(ou«(0,.)-E,) 

= out{Hide^. (O,.)) n out{Hidej:. (Oy)) 
and 

»r»i(0,)na«:t*(Oy) = [.ntCO.) U (E, n acf*(0,))] H [act.(0,.) - E,] 
= «>»i(fr«</eE.(C).)) n acfa(^id«2^.(Oy)). 

iidtr ikr^'ctran'^aT^ cTut^r * °^^~'- ^-^^ <°'» -- "-'-"''"• 

tba.''?^ LV'c^ refn"rNt:ic? tt' "" '""' «"°'' •-"-- ""^ " -» '""^ 

»>i(^C) = m(nO.) - IJSy 
•6/ ie/ 

= i[jMOi)-\Jout{Oj)) - IJSfc 

= (U irim - U Ey) - (U out{Oi) - U Sy) 
•e' ie/ .€/ fit 

= U(»"(o.)-s.) - LKow'Co^O-Ey) 

= U«»(^»<^«E,(0.)) - U OUi(^»rf«E^.(Oy)) 

= »n (H ^»<i«E, (O,)) = «n(Ciy) . 

16/ 

sW^T? "^;i^^%^°^*^ t" r'*^^'^ ^ ^' ^ *°^P^y f°^ ^^ »■ ^ ^^ Similar arguments 
show that out{HC) = outiCH) and .niC^C) = ,ni(CF). Therefore, HC ^d C^ 
have the same action signature, and hence are equal. □ 

2.1.3 Action Renaming 

Our definition of composition makes the names of actions quite important. In particu- 
lar, the notion of object compatibility depends entirely on the names of actions shared 
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by the objects. In this section, we define an operation that renames actions. With this 
operation, objects can be made compatible by renaming conflicting actions. 

An action mapping / is an injective mapping between sets of actions. Such a 
mappmg IS said to be applicable to an object O if the domain of / contains the ac- 
tions of O. Action mappings are extended to objects in the obvious way. If the 
action mapping /is applicable to an automaton A, then the automaton /(A) is 

tTon^. . T ^ r ^^^' ^ '"'^^l^' ^** ^(•"*(^))' r««P-tively; with the t;ansi. 
af^frJ^y^^'iy^ '' ^'''»')^*''^P*(^)>; and with the equivalence relation 
{(/ Or)./(T)) : {^y)epart{A)}. Since / is injective, the partition of the locally- 
controlled actions of /(A) is guaranteed to be an equivalence relation. Objects f(0) 
are defined similarly for other types of objects. Such an object f{0) is said to be a 
rtnamtng of O. Smce renaming affects only action names, the following result is easy 

1. Execs{f{A)) = f{Execs{A)) 

2. Schtds{f{E)) = f[Scheds{E)) 

3. i;xterrw/(/(5)) = /(£;xterfui/(5)) 

In addition, since action mappings are injective, it is easy to see that actions may 
be hidden before or after renaming: 

Lemma 16: Hidej^^)[f[0)) = /{Hide^iO)) for any object O and applicable action 
mapping /. 

Let us consider how renaming interacts with composition. Suppose an action map- 
ping /, 18 applicable to the object O, for every » e /. First, notice that if each /, maps 

nTroT^""* ?K°^ « ""! ^' *° '^" '^'^'^ ''' *^"" *^« ^'(^O "« incompatible; and 
Hi /.(O.) IS not be defined even though H. Oi may be. Furthermore, if each /, maps an 
action TT to a differwit action ^,, then executions of H. A(0.) may have no relationship 
to the executions of R. O. since the objects /,(0,) may no longer be required to syn- 
chronize on the actions »r,. We are therefore led to define a collection {/, : i G 1} of 
action mappings to be compatible if for all actions t, and ^y we have /,(^,) = /,( J iff 
T, = T, . We define their composition / = n. fi to be the action mapping having ai its 
domain the union of the domains of the /,, and mapping the action ir to fdn) if ^ is 
m the domam of /,. The fact that the /, are compatible ensures that / is well-defined 
It IS obvious that if each /, is applicable to an object O,, then / is applicable to their 
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compcition In addition, tlie following rwult verifie. that the renaming of ,uch object. 



the resulting object 



Lemma 17: Let {O, : ,• e /> be compatible objects, and let {/, : i e 1} be compatible 
action mappings. If /, is applicable to O, for every .• 6 /. then ( n fmoT=7f-m 



»€/ iei iei 



s^I^lar 7Vr^u . 'T^' ^^' ''^'°°'^'* ^' *^" P^^'^" f«' o*h" *yP«» of objects are 
n . fi {, ^ "; ^:' ^. = "• ^' ^^ ^' = n. MA). We show that /(A) is defined 

mlrtth . '"^*^'*^?"*=^'^^^^ =^'- To do so, we must verif^ the following: 
that the A are compatible iff the /,(A.) are compatible, (ii) that f{A) and A' have 

Jivj that /(^) and A have the same transition relation, and (v) that f(A) and A' have 

ucVXat '.rf M ^^^"^--*-"«<l -t-ns. Since the //are ijictivrmappt;' 
such that A(T,) = /^(^,) ,fr ^, = ^., the only nontrivial part of this proof to chik b 
pax H. Suppose that (a,., a') b a step of /(A). For some action a we m^t have 

L aL tti' cT ^ f ^ ^ ^^ °' ^' ""' *^*' ^^"^ = '^^ ^-thermore, for each i, the action a 
« an action of A, xS ^ is an action of /,(A,). If ^ is an action of /,(A), then a is 
an action of A-, so (a|A.,a,a'|A,) « a step of A, and (a|/..(A),.,a|/..(io) L a step of 

^'^^\f^.\ "" ""n^f f *'°^ °^ ^•(^^' '^^^ ^ i» not an action of X so al^- = a'lA- 
and a|/,(A) = a'|/.(A,). In either case, {a,7r,a') is a step of A' = U^MA) A s\^t 

/(AJ and A have the same transition relation, and hence are equal. \J 

2.1.4 Remarks 

Since the definitions given so far have been independent of such considerations, we 
have chosen to ignore until this point issues of cardinality that appear in most mod- 
els of computation. For example, we have not restricted our model to automata with 
countable sets of states and actions, and hence to countable nondeterminism. Fur- 

ro'rr\''' r T ''"'"'*'^ °" *^~^ ^ *^* composition of a finite (or even 
countable) number of automata. While these are natural restrictions (and all of the 
resulte presented thus far still hold when these restrictions are imposed . we note that 
Lynch and Merritt have made eflFective use of the composition of a countable number 
of automata m [LM86]. In the remainder of this thesis, we restrict our attention to 
automata modelmg systems with a countable number of components. In particular, we 
restrict our attention to countable compositions, and to automata A for which part (A) 
partitions A s locally-controlled actions into a countable number of equivalence classes 
This restriction becomes relevant in the following section where we define the notion 
oi tair computation. 
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2.2 Fairness 

Fair computation is of central importance to distributed computation. The mutual 
exclusion problem, for example, has been formulated in [EM72] with the "no lockout- 
condition that If every process is allowed to take steps infinitely often, then every 
process trymg to enter its critical region will eventually do so. That is, during fair 
computation every process wishing to enter its critical region will eventually do so. 
More generally, the specification of a distributed system typically includes conditions 
of the form if condition P holds, then eventually condition Q will hold." The ability 
of a process to satisfy such conditions clearly depends on fair computation. In this 
section we show how fair computation can be described in our model, and we show 
how fair computation induces an interesting equivalence of automata. 

2.2.1 Fair Executions 

As previously mentioned, computation in a system of processes is said to be fair if 
every process is given the chance to make computational progress infinitely often. The 
phrase given the chance" is important, since a process may not be in a position 
to make progress every time it is given the chance. Recall that associated with an 
automaton A is a partition part{A) of its locally^ontroUed actions. Intuitively, each 
class of this partition consists of the locally-controUed action of a process in the system 
WW f,^ r Jf ^'. ^ ^'''' ^^'^^^ion of an automaton A is defined to be an execution x 
such that the followmg conditions hold for each class C of part {A): 

1. If X is a finite execution, then no action of C is enabled from the final state of x. 

2. If X is an infinite execution, then either actions from C appear infinitely often 
m X, or states from which no action of C is enabled appear infinitely often in x. 

These conditions may be interpreted as follows. If x is finite, then computation in the 
system has halted since no process is able to take another step. If x is infinite, then 
every process has been given the chance to take a step infinitely often, although it may 
be that some process was unable to make computational progress every time it was 
given the chance to do so. Notice that this definition of fairness is essentially what is 
called wuUc fairness in the literature (see [Fra86], for example). As mentioned in the 
introduction, however, our definition is different in an important way in that it takes 
into consideration the notion of one process controlling the performance of an action 
In particular, it is possible for an (input) action to be continuously enabled, and yet 
never be performed. We note in passing that our notion of fairness defines the notion 
of a fimte fair computation without the usual requirement that finite computations be 
extended in some trivial way to infinite computations. 
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The set fair (A) is the set of fair executions of the automaton A, and Fair (A) is the 
execution module of A having /a.r(A) a^ its set of executions. ^^ 

One simple consequence of this definition of fair executions is the following. 

fair execution x^.a^ ... of A (m which every n, is a locally-controlled action of A). 

llT!l ^** ^ ^.* \f^nction mapping the natural numbers to the classes of part (A) 

There is r/'tl'"^ ''^ °' '"^^^^ ^^^^^ '" ^^« '-«« o^ / infinitenftei: 
l^l iUfTTZ ;• '"^"^ • • -uf ^ "'*^ *^^ P^°P^'*y '^^' '^•- ^ - -tion from the 
ll^on of A Z ,T. "" '^*^^**^ ^'°°^ °'-^' "^^ ^ "^'t'"y locally-controlled 

enabled then i'""fi • "°'' ''"'' '""^ "° locally-controlled action of A is 

D 

More important, however, is the next lemma which says that the fair executions of 

a^ompc^ition are a composition of the fair executions of its compon::;^s.Ti; forthe 

^^^rHiJ^--''^' ^ -^^^^- °^ - — n'« locally-controlled 

Lemma 19: Fair {U A) = U Fair (A,) for all compatible automata {A : » e /}. 

moduLof7-V/tll?V^^ ^' ""^ = "•^"•^(^^- ^^" ^<>'^ -« ---tion 
sW tW tl: ?• ^;. "^^ *^* '^* "'^^^ ^^ "^^'^^ "«^»ture. We need only 

show that they have the same executions. First, however, notice that since the Z 
ar^ compatible their locaJly-controlled actions are disjoint. Furthermore, notice that 
each A IS inpu^enabled. It follows that each A determines when its locally-controlled 
^tions are enabled m the composition A: If . is a locally-controlled action of A, and a 
IS a state of A, then n is enabled from o in A iff t is enabled from a\A in A.-. 

Suppose X is a fair execution of A, and let us show that x is an execution of CF 
We must show that x| A, is a fair execution of A for all i. Let C be a class oJ idSly: 
controlled ^^ons of A.-, and hence a class of A. Suppose x is finite. Since x is al2r 
execution of ^ no action of C is enabled in A from the final state a of x, and hence 

"aTt Z f r'"'"''' K^ '^°°^ *'^ ^^ ^'^'^ «l^ °^ -1^- S-PP-- ^ - -fi^'e 
su^le «t t "PP^,"^.fi^'^ly °ft«^ i^ ^. they do so in xl^-. On the other hand, 

uppose stat« appear mfinitely often in x from which no action of C is enabled in A. 
I follows that either x|A.- is finite and no action of C is enabled from the final state of 

rJ 'l^A V '^^^1^ ""^^ "^^^^ °^ ^ ^PP*'" ^" ^1^ fr°°^ ^hich no action of C 

IS enabled. In any case, x\A is a fair execution of A,. It follows that x is an execution 
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Conversely, suppose i is an execution of CF, and let us show that x is a fair 
execution of A. Let C be a class of locally-controlled actions of A, and therefore a class 
of A.- for some i. Since x is an execution of CF, the execution x|A, is a fair execution 
of A.-. Suppose X IS finite, and therefore that z\A, is finite. Since x|A is fair, no action 
of C « enabled from the final state of x| A, and hence no action of C is enabled from 
the filial state of x. Suppose x is infinite. If actions from C appear infinitely often 
m x| A., the same is true of x. If states appear infinitely often in x| A, from which no 
action of C IS enabled, the same is true in x. However, x\A, may be finite. In this 
case, no action of C is enabled from the final state of x| A.. Since x is infinite, there is 
a state appearmg m x after which no action of C is ever enabled. In any case, x must 
be a fau- execution of A. It follows that FC = CF. □ 

2.2.2 Fair Equivalence 

In Section 2.1 we defined a notion of equivalence based on the external behavior of 
an object. We now define a similar notion of equivalence based on fair external be- 
havior The fair behavior of an automaton A, denoted by FbthlA), is defined to be 
the schedule module Exttrnal{Fair{A)). We extend this definition to objects of other 
types (execution modules and schedule modules) by setting Fhth{0) = UhthiO) It is 
convenient to denote the set of schedules of Fbth{0) by fbeh{0), for any object O. In 
light of Corollary 8 and Lenmia 19, we see that the fair behavior of a composition is 
the composition of the fair behavior of its components. 

Lemma 20: Fbch{nOi) = nFbeh{Oi) for compatible objects {O. : i e I}. 

We say that two objects O and O^ are fairly cquivalerU, denoted O ^='' C if they 
have the same fair behavior; that is, if Fbeh{0) = Fbeh{0'). In light of Lemmas 10 
and 20, fair equivalence satisfies the axioms stated for unfair equivalence in Lemma 11. 

Lemma 21: Suppose = n.O., P = UiPi, Q = UiQi, and iZ = n.iZ. where 
the Oi, Pi, g,, and iE, are objects. 

1. OP^^' P.O. 

2. [0-P).Qf^'0-{P.Q). 

3. If O '=' P and Q '^- R, then O • Q ^^' P • R whenever the compositions O • Q 
and P • i2 are defined. 
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Figure 2.2: The importance of the partition of locally-controlled actions. 



Thus composition is commutative and associative up to fair equivalence, and fair 
equivalence is a weak congruence with respect to composition. With this we conclude 
that discussion of fairness directly related to program verification. In the remainder of 
this section we consider several interesting questions about how fairness is modeled in 
our model. 

2.2.3 Fairness and System Decomposition 

Having seen the definition of a fair execution, the role of the equivalence relation 
'^'^\V f^^°"**^^ *^*^ '^ automaton A is clear: The automaton models a system, 
and the locally^ontrolled actions of each system component form a separate class of 
the partition. It is worth considering, however, whether this partition is really of any 
importance. We claim that if relationships such as those stated in Lemma 20 are of 
importance (and we think they are), then the information about the system structure 
encoded m the partition of an automaton's locally-controlled actions must be retained 
Suppose for a moment that we do away with the partition, so that all we know about 
an automaton's locally-controUed action is whether it is an internal or output action 
CoMider the automata A and 5 given in Figure 2.2, and consider their composition 
•/• Here a is an mput action, and ^ and 7 are output actions. In both automata A 
and 5, the execution with the infinite sequence of a's as its schedule may be considered 
a fair execution smce infinitely often each automaton passes through a state from which 
no locally-controlled action (either /? or 7) is enabled. In the composition, however, a 
locally-controUed action is enabled from every state through which such an execution 
must pass, and yet none of these actions appear in the execution. This execution cannot 
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be considered a fair execution of the system since the system is never allowed to make 
process, even though it is able to do so at each stage of the execution. If, on the other 
hand, we recognize that ^ and 7 are output actions of separate system components, we 
see that mfinitely often each component passes through a state from which none of its 
ocally-controUed actions is enabled. We therefore conclude that this i, an execution of 
the system that is fair to all components, and hence can be considered a fair execution 
of the system. The partition of locally-controlled actions therefore seems to be an 
important component of an input-output automaton. 

It « conceivable, however, that an automaton's actions can be partitioned in such a 
way that it is impossible for the automaton to model a system whose components have 
as their locally-controlled actions one class of the partition. It therefore seems possible 
for our intuitive understanding of an automaton's partition of its locally-controlled 
actions to be violated. Let us say that an automaton A is primitive if part {A) consists 
of a single class. Intuitively, such an automaton can model only an "atomic" system 
component. It would be nice to know that every automaton A is (fairly) equivalent 
to a composition of primitive automata, where the locally-controlled actions of each 
primitive automaton form a class of A's partition. This would in effect be saying that 
every automaton does model a system in a way satisfying our intuition. What we can 
prove IS the following. An automaton is said to be deterministic if it has one start 
state, and for every action ?r there is at most one T-step from every state. 

Lemma 22: Let A be an automaton whose equivalence relation part (A) partitions its 
locally-controUed actions into the classes {C, : t 6 /}. If A b deterministic, then there 
are primitive automata A such that C7, is the set of locally-controUed actions of A, 
andA'^'£ridc,^(^)(nA). 
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Proof: Since A = Hidei^[^){A') where A' is the automaton diflFering from A only in 
that the internal actions of A are output actions of A', we may assume without loss of 
generality that A has no internal actions, and show that A ^^ R.^-. Let A be the 
primitive automaton obtained from A as follows. First, set in{Ai) = acts{A) - C. and 
°" uf*] = Ci. Second, add to A a dead state d. Finally, to ensure that A. is input- 
enabled, if TT IS an input action that is not enabled from a state a, add the transition 
a-*d from a to the dead state d. Let B = R. A.. We claim that A ^= B. 

Suppose X is a fair execution of A. Since x is also an execution of each A,, there is 
an execution y of B such that y| A. = x for every i. We claim that y is a fair execution 
of B. If actions from C. appear infinitely often in x, then the same is true of y. On 
the other hand, suppose that ^ is an action of C. that is not enabled from a state a 
of A. Then tt is an (output) action of Ai that is not enabled from the state a in A., and 
hence not from the state {a} in B. It follows that if x is finite and no action from C. is 
enabled from the final state of x, then the same is true of y; and that if x is infinite and 
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there are infinitely many states appearing in x from which no action of C. is enabled 
then the same is true of y. Therefore, y is a fair execution of B. 

Conversely, suppose y b a fair execution of B. We claim that z = y|A- is a fair 
execution of A for every t. We will soon show that if 6 is a reachable state of 5, then 

* .„''?T°''*''^ *'^ °^ * *^® ®*^''*^' ^^ **1^*^ *° * «*»*« oth*"- than d. From this it 

will follow that all y\A, are equal. Furthermore, since x = y\A,, the state d must not 

appear m x. Since transitions to d were the only transitions added in the construction 

of A-, X IS an execution of A. Furthermore, since x is fair in A,, either x is finite and no 

action of C, is enabled from the final state of x; or z is infinite and either actions of C. 

appear mfinitely often in z, or states appear infinitely often in x from which no action 

of C. IS enabled. Since this is true for every class C., z is must be a fair execution of A. 

We now proceed by induction on the length ^ of an execution required to reach 6 to 

show that 6|A,- = h\Ai ^ d for all ,• and j. Since A has a single start state, each A, has 

the same (unique) start state, and the case of / = is trivial. Suppose / > and the 

inductive hypothesis holds for I - 1. Suppose 6 is reachable by an execution of length t 

whose last transition is 6* ^ 6. Since V is reachable by an execution of length t-l 

the mductive hypothesis implies that V\A, = VjA, 7^ d for all ,• and j. Since ir is either 

an input action of A or an output action of A (and hence of some A,), there must be 

an automaton A, for which no transition 6'|A, -^ d was added during its construction. 

It follows that V\A -^ b\Ai must be a transition of A, and hence that no dead state 

transition was added from y\A^ during the construction of any A,. Therefore, every 

step VIA,- -* b\Ai IS a step of A. Since A is deterministic, there is only one such step 

so b\Ai = b\Aj 7^ d for all t and j. D 

This result says that our intuition (our understanding of an automaton's partition 
of Its locally-controUed actions) is satisfied by a very restricted class of automata. It 
do^ not seem to be true, however, for arbitrary automata (although Lemma 22 does 
hold for arbitrary automata if fair equivalence is replaced by unfair equivalence, the 
proof of this using the same construction as in the proof of Lemma 22). The reason the 
construction given above will not work for nondeterministic automata is clear: The ex- 
istence of nondetenninism allows the components to diverge during computation. Each 
component may then pass through states from which none of its locally-controlled ac- 
tions are enabled, from which it follows that no locally-controUed actions appear in the 
executions generated by any of the components. Since, however, each component may 
pass through states from which all locally-controUed actions of all remaining compo- 
nents are always enabled, none of the executions generated by any of the components 
are fair executions of the original automaton A, whose classes are the output actions of 
the component automata. What is obviously required is a coordinator or scheduler S to 
ensure that all automata choose the same transition at every step. With this intuition 
in mind, we now prepare to show the following. 

Theorem 23: Let A be an automaton whose equivalence relation part (A) partitions its 
locally-controlled actions into the classes {C. : t € I}. There are primitive automata A, 
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«.d S such that C. i. the set of locally-controlfed action, of ^, E U the ,et of locally, 
controlled action, of S, and A 'S' mdc,^f^,,^(n A, ■ S). " 

The primitive automata A.- used in this construction are essentially th« nHmJt;^- 
scheduler S must be able to direct all of them to take the same step. These directions 

maie We add th ) <^07Ponent automata which transition they are supposed to 

f"lbwin?riutt '""^ ^ ^"^*'°"«^ '"'*^^^^ " ^*^*^ actionsfwith the 

Le^ 24: For every automaton A, there is a deterministic automaton B such that 

tnapT),/' • J^ locally controlled actions of B are partitioned into the classes of A 
together with an additional class E of internal actions. ' 

Proof: For ease of exposition, we construct a nondeterministic automaton B and then 

^f s iro?trft:m r'rf "*° "^ ^^^'^^^^^ ^^^^^^^^^^^^ automaton t;::ttat^ 

.. are of the form {a, a) where a is a stato and a is a (possibly empty) seauence of 

^r^. the ^'t ^'^'^ °' ^ ^ ^^' ^^' "'^" ^ ^ ^ distinguished sta^-t a^^^^^^^ 
and e is the empty sequence of actions. The states of B are (a, a) and (., a), where a is 
a state of A and a is a (possibly empty) sequence of actions of A The a^t^ikl^ature 

t^te fa ^fwh'^ /f T '*""' °^ ^'^ P"*^*'°°- The transitions of 5 from a 

state (o, oj, where a is a state of A, are as follows: 

(o,a) -^ (a',c) in B iff a -^ a'in A 
{a,a)^{a,aa)mB iff a ^ a' in A for some a' 

s^.n?l^' %*^«'f."^«'.^hat transitions A actually makes from the state a when the 
sequence of actions a is actually performed. All other actions are simply recorded « 

(«, a)^-* (o, c) in B iff oo A o in A for some start state oq 
(*. Oi) -► (s, ttff) in J5 iff a is an input action of A 

t^jfw 'T' """^^ ^P^^.'^^tio^ and K are enabled from a state of the form U,a). In 

his way fair computation will guarantee that r is eventually performed, and hen« 

that an initial state is chosen for A. Thus, the scheduling actfon . chooseL "e in"" 

state of A, as well as the steps taken by A during computation. We claim that A ^^' B. 



38 



Suppose that A'a locally-controlled actions are partitioned into the classes {C.- • t € /} 
These classes together with the class {tt} are the classes of 5. 

Let X be a fair execution of A. Let y be the execution of B obtained by replacing 
each transition a ^ a' of x by the transitions (a,e) A (a,a) A (a'.e). followed by 
the infinite sequence of transitions (a.c) A (a, e) A ... in the case that x is a finite 
execution ending in the state a. Suppose x is finite. Since x is fair, no locally-controlled 
action IS enabled in A from the final state a of x. It follows that no locally-controUed 
action of B 18 enabled from any of the infinite occurrences of (a,c) in y, except for ir 
which occurs infinitely often. Hence, y is a fair execution of B. Conversely, suppose 
that X IS mfinite. Since x is fair, for each class C, either actions from C. appear infinitely 
often in x, or from infinitely many states appearing in x no action from C. is enabled. 
In the first case, actions from C. appear infinitely often in y. In the second case, since 
an action o is enabled from a state a of A iff it is enabled from {a,e) in B, infinitely 
many states appear in y from which no action of C. is enabled. Since, in addition tt 
appears infinitely often in the execution, y must be a fair execution of B. 

Conversely, let y be a fair execution of B. From the definition of B we see that 

if' ^' if' y * (a, ^1 ■ • • <7n) A (a', e) is a sequence of transitions in B, then 

a ^ oi . . ■ -A a IS a sequence of transitions of A. In addition, if {s, e) ^ (a^ai) • • • ^ 
(«,<7i-..a„) -+ {a,e) is a sequence of transitions in B, then oq ^ oi •■ . ^ a is a 
sequence of transitions of A for some start state oo of A. Let x be the execution 
of A obtamed by replacing every such sequence in y by the corresponding sequence of 
transitions of A. Since y is fair, the action n must appear infinitely often in y, and 
hence y must be infinite. If actions from C. appear infinitely often in y, then the same 
IS true in x. If not, then there are infinitely many states appearing in y from which no 
action of C, is enabled. Notice that if an action a other than t is not enabled from 
from the state (a, a) in B, then for all states a' of A such that o A a' it must be that a 
18 not enabled from a'. It follows that either x is finite and no action of C. is enabled 
from the final state of x, or there are infinitely many states appearing in x from which 
no action of C. is enabled. In either case, x must be a fair execution of A. 

We have just shown that A ^^' B. However, we are not yet done since B is not 
yet deterministic: There are potentially many 7r-steps from every state of B. However 
we can assign to each 7r-step a unique identifier, and tag the ir labeling the step with 
this identifier. Replacing the action ir with the set E of newly-tagged tt's, it is easy 
to see that this automaton is fairly equivalent to B, and hence also to A. Since this 
automaton t« a deterministic automaton (with an extra class E of internal actions), we 
are done. r-. 

We are now able to prove Theorem 23. 

Proof of Theorem 23: Given the automaton A, construct the automaton B of 
Lemma 24. The automaton B is fairly equivalent to A, and its locally-controlled 
actions are partitioned into the same classes as those into which A's actions are par- 
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Figure 2.3; Fair equivalence and unfair equivalence are incomparable. 



titioned, together with an additional cla« E of internal actions. Furthermore, B is a 
deterministic automaton. Lemma 22 says there are primitive automata A,- and S with 

7i^^ m^ ^c1 ^°^M^ = ^ '^'^ *^*' ^ (*^^ ^«°^« ^) ^ f^i^ly equivalent to 
tii<iei,u{B) (a >!« • 5) , which is just Hidti,a{A)^T. (11. A • 5) . □ 



2.2.4 



Comparing Fair and Unfair Equivalence 



Having defined two types of equivalence, fair equivalence and unfair equivalence, it is 
natural to ask how they are related. Since FUh{0) = Uheh{0) when O is an execution 
modu e or schedule module, fair and unfair equivalence are identical for execution 
modules and schedule modules. For automata, however, they are incomparable. 

Consider for example, the automata of Figure 2.3. The (primitive) automata A 
T\ A ***"? ^ ^P""* ^^'"""^ a and an output action 0. The unfair behavior of 

both A and B consists of all sequences of a and ^, so A and B are unfairly equivalent. 
The fair behavior of A, however, includes the infinite sequence of a's. Since the fair 
behavior of B does not, A and 5 are fairly inequivalent. On the other hand, C and Z? are 
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two {nonpnmitive) automata with output actions a and 0, each forming a separate clasn 
m the partition of the locally-controlled actions. The fair behavior of C and £> consist 
of finite sequences of a's followed by a ;9 and an infinite sequence of a's, so C and £) 
are fairly equi>^ent The unfair behavior of C, however, includes the infinite sequence 
of a s. Smce the unfair behavior of D does not, C and £> are unfairly inequivalent. 

Thus, in general, fair equivalence and unfair equivalence are incomparable. The 
following lemma, however, indicates that fair equivalence implies unfair equivalence in 
the case of primitive automata. Since the primitive automata A and S of Figure 2 3 are 
unfairly equivalent but not fairly equivalent, we see that fair equivalence is a stronger 
equivalence that unfair equivalence in the caae of primitive automata. 

Lemma 25: Let A and S be two primitive automata. If A and S are fairly equivalent, 
then A and B are unfairly equivalent. 

Proof: It is enough to check that scheds{A)\^xt{A) = sehedsiB)\extiB). Suppose x 
« an execution of A. If an infinite number of locally-controlled actions appear in x 
then since A is a primitive automaton (with a single class of locally-controlled ac- 
tions), X 18 a fair execution of A. Since A and B are fairly equivalent, there is a fair 
execution y of B such that 8ched{x)\.xtiA) = .ched{y)\ext{B). On the other hand, 
If only a finite number of locally-controlled actions appear in x, then we may write 
X - XX where x* is a finite execution of A, and every locally-controlled action ap- 
pearing m X appears in x'. By Lenmia 18, the finite execution x' can be extended 
to a fair execution z of A. Since A and B are fairly equivalent there is a fair exe- 
cution y of B such that sehed{z)\txt{A) = sched{y)\cxt{B). Thus, there is a finite 
execution y* of B, a prefix of y, such that sehed{x')\ext{A) = sched{y')\ext(B). Since B 
IS input enabled and no locally-controlled action appears in x after x', y* may be ex- 
**^ ! V.°M^ execution y- of B such that sched{x)\cxt{A) = sched{i/')\ext{B). Thus, 
achcdsiA)\ext{A) C sckeds{B)\ezt{B). Since the opposite containment follows by a 
symmetric argument, we are done. r-i 

2.3 Hierarchical Correctness Proofs 

The problem motivating this thesis is the construction of hierarchical correctness proofs 
for distributed algorithms. We have already mentioned in the introduction how such a 
proof might be constructed. First, a sequence of models Oi, . . . , 0„ are defined, objects 
of some type modeling the algorithm at decreasing levels of abstraction. Each model O. 
IS then shown to "simulate" 0.._i in some appropriate sense of the word "simulate." In 
such a proof, each 0,_a can be viewed as the statement of a problem O. is required to 
solve. O. may be said to solve the problem specified by 0,_i if every behavior of O. 
IS a behavior of 0._i. O. solves the problem specified by 0._i in the sense that every 
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correctness condition satisfied by each behavior of 0._i is also satisfied by each behavior 
of O. However, as previously mentioned, the satisfaction of certain liveness conditions 
depends on fair computation. We therefore require only that every fair behavior of O. 
be a fair behavior of 0,_i. That is, O, is said to satisfy O,., \i fbehiOA C fhthiOi i). 
We also require that O, and 0._i have the same external action signature. 

Notice, however, that this notion of correctness is not completely satUfactory. In 
particular, a schedule module O. with no schedules trivially satisfies every problem O.- i 
(with the same external action signature). Furthermore, since the schedules of O.- are 
allowed to be arbitrary sequences of actions, it is conceivable that they may encode 
information allowing the solution of undecidable problems, and hence not be behaviors 
of an implementable system. In an attempt to avoid such anomalies, we say that the 
object 0._i is tmpUmentabU if there is an automaton satisfying 0._i. The object 0._i is 
implementable in the sense that there is a system satisfying every correctness condition 
satisfied by O..^. Furthermore, since 0._i b satisfied by an automaton, and since 
every automaton is input-enabled, the object 0._i must describe a response to every 
p<^sible pattern of input. That is, the behavior of Oi_x is nontrivial. We say that 0,_i 
solves Oi if 0,_i is an implementable object satisfying O.. In the context of constructing 
hierarchical correctness proofs, such a proof consists of a sequence Oi, . . . , O^ of objects 
and the verification that each O,- solves 0,_i. ' 

Clearly, the notion of satisfaction is the basis of each of these definitions. The 
remainder of this section concerns techniques for verifying that one object satisfies 
another. Two properties of satisfaction are very easy to see. The first is that satisfaction 
is transitive, and a weak congruence with respect to composition. 

Lemma 26: Consider the objects 0„ Pi, and Q,, for t 6 /. 

1. If O. satisfies P. and P< satisfies Qi, then O. satisfies (?,. 

2. If Oi satisfies P, for every t" e I, then H. O. satisfies H. Pi whenever the composi- 
tions n. Oi and n. Pi are defined. 

Proof: The proof of the first part is immediate from the definition of satisfaction. 
The second part requires some proof. As a result of Corollary 8, the external action 
signature of 11. 0< is the composition of the external action signatures of the O., and 
similarly for R.P.. Since O, and Pi have the same external action signature for all 
t G /, so do UiOi and UiPi- Since fbeh{Oi) C fbeh(Pi) for all » G /, it follows by 
Lemma 20 that fbehiUi Oi) C fbehiUi Pi). Therefore, n. O, satisfies 0. P.. D 

A second property of satisfaction is its invariance under action renaming. 

Lemma 27: Let / be an action mapping applicable to the objects O and P If O 
satisfies P, then f{0) satisfies /(P). 
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/iS f^^/r L*T//pu '^' "^l^T^ ^*^°^ signature. Using Lemma 15 we see that 
fbeh{f{0)) C fbeh{f{P)). Thus, /(O) satisfies /(P). □ 

While we have repeatedly indicated that our hierarchical correctness proofs consist 
of a sequence of objects Oi. . . . , 0„ modeling an algorithm at different levels of abstrac- 
tion, our proofs typically have more structure than this. In the proof of Schonhage's 
r^ource arbiter (m the next chapter), for example, we actually construct for each level 
of abstraction Ml automaton A, describing the algorithm at the appropriate level of 
abstraction. This automaton describes as much of the algorithm as can be described 
by Its static nature. In particular, the automaton A encodes all safety conditions re- 
quired If Iiveness conditions are required, we construct an execution module Ei of A 
with those executions of A. satisfying the desired Iiveness conditions. The objects O, 
referred to above are actually the execution modules E,. We note, however, that the 
execution module E at the lowest level of abstraction typically consists of the fair 
executions of A„. Thus, at the lowest level of abstraction the protocol is completely 
described by an automaton, and we could use the object A„ in place of the execution 
module f; in the correctness proof. Since automata and execution modules are the 
types of objects most frequently used in correctness proofs, in the remainder of this 
section we give techniques for proving the satisfaction of one automaton or execution 
module by another. 

2.3.1 Automaton Satisfaction 

We now ascribe one method for proving that an automaton A satisfies an automj^ 
ton B. This method makes use of the notion of a possibilities mapping, a corre- 
spondence between the states of the two automata that can be used to prove that A 

SStblSllCS x7« 

Suppose A and 5 are automata with the same external action signature, and sup- 
pose h IS a mapping from 8tates{A) to the power set of 9tat6s{B). The mapping h is 
said to be a posstbthties mapping from A to 5 if the following conditions hold: 

1. For every start state a of A, there is a start state 6 of S such that b e h{a). 

2. For every reachable state a of A, every step {a,,,, a') of A. and every reachable 
state b e h{a) of B: 

(a) If JT e act3{B), then there is a step {b,ir,V) of B such that V € /i(o'). 

(b) If JT ^ aets{B), then 6 € h{a'). 

If a is a state of A, then a state b e h{a) of B is referred to as a possibility for a. 
Informally, 6 is an abstract state corresponding to the less abstract state o. The fact 
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that h maps a to a set of possibilities allows for the chance that many abstract states 
may correspond to the single concrete state a. The first condition of a possibilities 
mappmg says that every start state of ^ has as one of its possibilities a start state 
^.- Jf %««=°^d <:ondition says that steps A and fi preserve possibilities: If 6 is a 
possibility for a, then for every step {a,i^,a') of A either 6 is also a possibility for a!, 
or there is a step [b,'^,V) of B with the property that V is a possibility for a. This 
definition generalizes the definition of a possibilities mapping used in the context of 

f^Z PPQ ^^«"^'"."^ hf^)- I* " "^ reminiscent of the notion of bisimulation 
from CCS presented m [M1I8O]. Roughly speaking, a possibilities mapping from A 
to 5 IS a mappmg from the states of A to the states of B with the property that if a 
corresponds to 6, and if A can make a transition via the action jt from a to a', then B 
can make a transition via the action jt from 6 to a state V corresponding to a'. Milner's 
notion of bisimulation is essentially a pair of possibilities mappings, one from A to B 
and another from B to A. 

We now show how to use a possibilities mapping to prove that A satisfies B. Our 
first step IS to show how such a mapping relates the executions of A to the executions 
of B. Given two finite executions x and y of A and B, respectively, we say that y 
fimtely corresponds to x under h if sched{y) = sched{x)\B and the final state of y is a 
possibility for the final state of x. In general, if x and y are two executions of A and B 
we say that y corresponds to x under h if for every finite prefix x, = oo^^a^ ... a. of x 
there is a finite prefix y, of y finitely corresponding to x, under h such that y is the limit 
ot the jj. Informally, the executions x and y model the same computation at different 
levels of abstraction. Our next result shows that by inductively constructing the y. it 
IS always possible to construct such an execution y. 

Lemma 28: Let /i be a possibilities mapping from A to B. If x is an execution of A, 
then there is an execution y of B corresponding to x under h. 

Proof: Let x = <^^,a, . . .. For each * > 0, let x, = ooT^ai ... a.. We construct the 
finitely correspondmg y.- inductively, and take y to be the limit of the y.-. Since Oq is 
a start state of A, the set h{ao) must contain a start state of B, and hence it is easy 
to choose an execution th finitely corresponding to xo under h. Suppose y, 1 finitely 
corresponds to x._i under h, and let us construct y.-. First, a,_i is a reachable state 

r 1' .*^?/***~V '*' '^^ " * "**P °^ ^' S«=o^^' *^e fi^al "tate 6 of y._i is a reachable state 
of B m h{ai.i). If Jr.- e aets{B), then by the definition of h there is a state V in ^(a.) 
such that (i.^r.-.y) is a step of B. If y, = y,.,^,V, then the final state of y, is in /i(a,) 
and wW(x,)lB = sched{yi). If ?r. $? oct«(B), then from the definition of /i we see that 
6 e h{ai). If y,. = y,._i, then the final state of y. is in /i(o.) and «cA«/(x.)|B = schediyA. 
In either case, y, finitely corresponds to x. imder h. □ 

Since each pair of prefixes x.- and y. satisfies the condition «c/i«/(x,)|B = sched{yi), 
it is easy to see that the executions x and y do so as well. 
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Lemma 29: Let h he a. possibilities mappinir from 4 to /? Tf fi, 

eor^pond. .o the execution . of A unde^K "L^x^B I '!':^;C''"' " °' ^ 

r«'^°ndta?n """ ""'^^"^^^ "" "*'^'=')- '*"« ^ »"'»!' "' «« li"i'" of finitely cor- 
«wr«r*H "^•: "'* *«' '"!'«««'!'. 'l-"' ""t be an ,• .uch that .cW(X L 

::w|?)iB^r:Z(:r ** ' """''°"'' *" ^ ""•'" *• "■" " -p-*^ ^f^ 

witftwfir"''"''"^, V"™""""*'"" '«'"-'' "« execution, of A and fl we .how 
We .av tlat?„rf *"" '",'" ?'>"'">°"«'"-« =" ». u«d to .how that A lltlfiL a 

for i rl!.i^^ r °"*/'"'' f'"" -*•"*• ^'"'P"" th. following conditi^ hlli 
for all reachable state, a of ^ and for aU claMe. C and ZJ of part (A) »ndZrtlm 
r»pec ,ve^, .uch that C 2 I>: If an action of D i. enabled frrrrai«habTe.ui 
of^Ma), then an acfon of D i, enabled fron. a and no action of C -nttl^:! 

^Z?t^^^' * " ' P"""""'"" -"PPin* f«»n A to B, both automata have the .ame 

c^;L"o„*dLg'.i' xru^d*'*""*" '^"- •••"••"'• ""■ '" >« •» *• p-«- °f » a»u 

enaWedTJ'thet'll- ^T'T '^"' "»='>» ^ <>f « .»ch that an action of D i. 
of D i^ .„^J ^f ?• ^"" * " *""•• » = »'<" "ome i. Since an action 

of f) foT^lf >" If " r""'n ' "'•'• " *'"'' '<" »" ^' ^ •■ (-"""y. ">. final ,ta" 
r mL • •'.-/ *'°'' froni O U enabled in A from a,, and no action from C - n 

of rH:^i."inii^rtt "": " '^"•' *" " r"™ ■" '^ » "'""^ f^m "h^aL .taS 

no action ""*?"'■''"" ^"7 ""y •'»«« «, (j- > .) an action of C i. enabled and yet 

our mitial a««mption that i b a fan^ execution, «> y must be a fair execution of B. 

tr.^n^\'^r" *„" "*""•• ^"PP°~ ""«« " » d— C .«ch that an action 
iu buf fi^-ri "^ "' *"" ^""'' ■"">' """ "PPO"!"* in y. It folio J^^hat for 

Therl f '' 7^\ '«• "" r""" °' ^ " ""'"'<* f«"° « -achable .tate of hia,) in fl 
Therefore for all but Snitely many .•, there i. an action of D enabled from a< i^A and 
no action from C-D enabled from a,. Sine, x i. a fair execution of A. thL mtt^. 

^f^i^uZ r;r '"- ^ ^"■"'"'^ *" - "<■ "»« '» - -^-^-^ i "- '« 
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We remark that the requirement that part{B) be contained in part (A) is not un- 
reasonable when B models an algorithm at a higher level of abstraction than A The 
restriction implies that the actions of 5 are a subset of the actions of A. Since A and fl 
have the same external action signature (A is a possibilities mapping from A to B), 
this implies that some low-level internal actions of A may not be internal actions of B. 
Even when this requirement is not met, however, the correspondence between states 
established by a possibilities mapping is still a useful correspondence when reasoning 
about the behavior of the automaton. For example, in Section 2.3.2 we will see how 
this correspondence can be used to verify that one execution module (of an automaton) 
satisfies a second. ' 

Our final result concerning possibilities mappings shows that possibilities mappings 
have a very nice local behavior: Given two automata A = H. A and B = n. B, together 
with a possibilities mapping from A, to S, for every x, these possibilities mappings 
induce a possibilities mapping from Ato B. 

Lemma 31: Suppose for all i e I that /^• is a possibilities mapping from A. to B,, and 

^^, T.t^.^\- ''"''^^'^- ^** ^ = a^- and B = n.B^ If fc is the mapping from 
states{A) to the power set of 8tates{B) defined by h{a) = {b : 6|B, e /i»{a|A,)}, then h 
IS a possibilities mapping from Ato B. 

Proof: As a result of Corollary 8, the external action signature of a composition is the 
composition of the external action signatures of its components. Since the A, and S. 
have the same external action signatures, A and B must also have the same external 
action sipiature. Thus, we need only check that conditions 1 and 2 of a possibilities 
mapping hold. For the first condition, for every a,- € »tart{A,) there is a &.- € states(BA 
such that ^ € hiioi). Thus, for every a 6 startiA) there is a 6 € startiB) such that 
e h.(a}. For the second condition, suppose that a is a reachable state of A, (a,ir a') 
IS a step of A, and 5 € h{a) is a reachable state of B. Let a, = a|A,-, aj = a'|A., and 
6. - b\Bi for every t € /. Notice that, since o and 6 are reachable states of A and B 
a, and 6, must be reachable states of A< and J3<. ' 

Suppose that ir € aeU{B). We must construct a step (6,3r,y) of B with V € h(a') 
Suppose ^ € acts{B,). Then ir 6 acts{A), so {a„ir,a^) must be a step of A,. Since /^ 
w a possibilities mapping from A, to B., there is a step (6.-, ir, l^) of B. with V- e hi(a'.) 
Supple ^ $? aeU{Bi). IS ir e actsiA,), then {0^,^^) « a step of A,, and 6, 6 U^) 
by definition of Z^. If ^ acts{A), then a.- = aj, and so 6.- G /K(a.) = l^.{aJ). In either 
case, let 6;. = ft,. It follows that (ft.-, r, &;.) is a step of B.- if »r € aet8{Bi), and that ft. = V- 
If JT ^ act«(B,). If ft is the state of B such that ftj- = ft'|B. for all », then (ft.^,**) is a 
step of B. Furthermore, ft* G /i(a') as desired. 

Suppose that t act«(B). Then jt ^ acf5(B0 for all ». As above, ft, e hi{a!,) for 
all t, and so ft e h{a') as desired. Thus, /» is a possibilities mapping from A to B. D 
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2.3.2 Execution Module Satisfaction 

As previously mentioned, when constructing the correctness proof of an algorithm we 
first construct automata Ai An describing the algorithm at several levels of 'ab- 
straction. If the algorithm is required to satisfy certain liveness conditions, we also 
construct execution modules Ei of A, describing these liveness conditions. The remain- 
der of the correctness proof consists of proving that each Ei satisfies Ei.i. We now 
show how possibilities mappings can be used to prove that certain execution modules 
satisfy other execution modules. 

We remark that one correctness condition common to many system specifications 
is a condition of the form "if condition P holds, then eventually condition Q holds." 
Lamport denotes this temporal logic statement D(P d OQ) hy P -^ Q in [Lam77], 
read "P leads to Q." Given an automaton A, a set of states 5, and a set of actions r,'a 
simple correctness condition common to specifications in our model (see Chapter 3, for 
instance) is the condition "if the current state of A is contained in 5, then eventually 
an action of T will be performed." With Lamport's notation in mind, we denote this 
condition by 5 -H. T.^ Given two execution modules £? and F satUfying a collection of 
such conditions, we now show how a possibilities mapping can be used to show that E 
satisfies F. We begin with a result relating individual executions. 

Lemma 32: Let /i be a possibilities mapping from A to B. Let x be an execution 
of A, and let y be an execution of B corresponding to x under h. 

1. If y satisfies U^V,aiid if h{S) CU andTDV, then x satisfies S'^T. 

2. If z satisfies 5 -^ T, and if 5 D h-^U) and T C V, then y satisfies U-^V. 

Proof: Let x = ooViai . . ., and let y = 4o^i*i • . •• For each t 6 /, let x. = ootTiOi 
and let y, be the prefix of y finitely corresponding to x, under h. 

Suppose y satisfies £^ ^ V, and let us show that x satisfies S --* T. It is enough 
to show that if Ok e 5, then jr« G T for some t>k. Since y* finitely corresponds to x* 
under h, we have y* = biipibi...b^ with 6« € h(at) for some m. Since o* e 5 and 
h{S) C U, we have 6,^ € U. Since y satisfies U^V,we have ip^eV for some n>m. 
Since V C r, for some l>kv,e have 8ehed{xt)\B = «e/»«f(y„) where sehed{xi)\B and 
8ched{y„) both end with (p^. Therefore, for some t > k we have ire = <Pm e T, aa 
desired. 

Conversely, suppose x satisfies 5 ^ T, and let us show that U^Vis satisfied by y. 
It is enough to show that if 6* G C;, then <PteV for some t>k. Since y„, = bo<pi ... 6* 

The statement S '-* T ia ewentially a ttatement in temporal logic, aa is D(P d OQ). The fact that 
executions are aeqnences of states and actions, instead of simply infinite sequences of states, means the 
standard model for temporal logic must be sUghtly modified if the condition 5 ^ T is to be expressed 
in temporal logic. 
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i i-WrnT^? *? ^- = '^o'^^ • • ■ «- f°^ «°^e '". we have 6* 6 /i(a«). Since 6^ e l^ 

A ^y - ' J'^^*Tf '^ ^ ^- ^^°" ^ '^*^«fi^ ^ ^ 3^. for some n > m we have 
^n € r Since «cW(x„)|B = schediy^) and T C K C ac««(fl), we see that the final 
action of y„ 18 ;r„. If y„ = 6o . . . <ptbt, then v?/ = ^„ € V for some / > ib as desired. D 

With this result, we are now able to give the following sufficient condition for the 
satisfaction of one execution module by another. 

Lemma 33: Let h he a. possibilities mapping from A to B. Let E be the execution 
module of A with the executions of A satisfying the conditions 5. -> 7; for every 
t e 7, and let F be the execution module of B with the executions of B satisfying the 
conditions Ui ^ VJ for every i e I. If for every i € 7 we have that 5. D h-HUA and 
Ti C Vi, then E satisfies F. . - V •; 

Proof: Since ^i is a possibilities mapping from A to B, these automata (and hence 
the execution modules E and F) have the same external action signature. Let x be an 
execution of i? ajid let y be an execution of B corresponding to i under h. Since x 
satisfies Si ^ Ti for every i, Lemma 32 implies that y satisfies Ui <-^ Vi for every » It 
follows that y is an execution of F. Therefore, fbeh{E) C fhth{F), and E satisfies F. 

D 
We conclude with a simple result relating conditions of the form S -^ T satisfied 
by executions of a composition of automata to conditions of the form S'^V satisfied 
by executions of an individual component. 

Lemma 34: Let A = Hidt^{X[,Ai). Let 5 C ^ates{A), and let 5, = {s\Ai : seS}. 
If z IS an execution of A, then x satisfies the 5 --» T iff x| A, satisfies 5, <-^ T. 
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Chapter 3 
An Example 



As an example of the hierarchical organization of correctness proofs proposed in the 
preceding chapter, in this chapter we prove the correctness of Schonhage's distributed 
resource allocation algorithm described in the introduction. The problem is to design 
an arbiter allocating a resource among a collection of users that guarantees the mutual 
exclusion condition that at most one user is using the resource at any given time; 
and the no lockout condition that if users holding the resource eventually return the 
resource, then the arbiter will eventually satisfy every requesting user. The distributed 
system in which this arbiter b to be used is completely asynchronous: processor speeds 
may be independent; messages may take an arbitrary, finite amount of time to be 
delivered; and messages may be delivered in any order. 

The arbiter itself is described in parallel with the proof of its correctness. We begin 
with a high-level model serving as a simple specification of the problem the arbiter is 
to solve. We then give a graph-theoretic description of the algorithm's global behavior. 
Finally, the arbiter is distributed and described in termys of a low-level protocol to be 
followed by the processors comprising the arbiter. We show that this low-level model 
solves the high-level problem specification, and hence that the given protocol is a correct 
solution to the arbiter's problem specification. 



3.1 The Automaton Ai 

Our high-level model of the arbiter, the automaton Ai, is a very simple specification 
of the arbiter's correctness conditions. We refer to the arbiter itself as o, and to the 
users of the arbiter as Ui, . . . , u„.^ 

^In general, we will denote entities associated with the arbiter by the letter o, and entities associated 
with the users by letter u. Letters near the end of the alphabet such as v and w will be osed to denote 
entities associated with either the arbiter or the users. 
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Input Actions: 
reque»t(u) 
effects: 






requeatera ♦— 


requeatera U {u} 


return (u) 
effects: 






if holder = u 


then 




holder *- 


- a 




Output Actions: 
grant{u) 

preconditions: 






u € requeatera 
holder = a 




effects: 






requeatera *- 
holder *— u 


requeatera - 


{«} 




Figure 3.1; 


I The actions of Ai. 



3.1.1 The States of Ai 

A state of Ai consists of a set requesters C {u^ , . . . , „„} of requesting processes, together 
with a value holder 6 {ui, . . . , u„, a} indicating the entity currently holding the resource 
(either a user or the arbiter itself). The start state of A^ is the state in which the set 
requesters of requesting users is empty, and the initial holder is the arbiter a itself We 
note that all states of Ai are re«:hable, as will become clear when the actions of A. 
have been introduced. 

3.1.2 The Actions of Ai 

The actions of Ai are given in Figure 3.1. We specify the transition relation of an 
automaton by giving for each action a list of preconditions and effects. An action is 
enabled from any state s satisfying the action's preconditions, and the action takes s 
to the state t if t can be obtained by modifying s as indicated by the action's effects. 
Smce mput actions are enabled from every state, we omit the preconditions of input 
actions. 

The input actions of Ai are of the form request{u) and return{u), where u is a user. 
The action request{u) simply places the user u in the set requesters of requesting users. 
Since automata are input-enabled, a user is able to request the resource at any time, 
even when it is currently holding the resource. The effect of a user's requesting the 
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resource while holding the resource is that the request is recorded for later use (later 
servicing of the user). The action return (u) returns the resource to the arbiter by 
making the arbiter the new holder of the resource. Notice that if a (faulty) user tries 
to return the resource when it does not actually hold it, the arbiter simply ignores the 
"return." The automaton Ai has no internal actions. The output actions of Ai are of 
the form grant [u), where u is again a user. The arbiter grants the resource to u with 
the action grant{u), which removes u from the set of requesting users and makes u 
the new holder of the resource. Notice that the arbiter grants the resource only when 
the arbiter actually holds the resource. Consequently, at most one user is using the 
resource at any time. 

3.1.3 The Execution Module Ei 

While the executions of Ai satisfy the mutual exclusion condition that at most one user 
is using the resource at any given time, we must still ensure the no lockout condition 
is satisfied by the arbiter: If users using the resource eventually return the resource to 
the arbiter, then the arbiter eventually satisfies every request for the resource. Let u 
be a user node, and let us define the following sets of states and actions.' 

RtnRt8\{u) = {ae 8tatt8{Ai) ■ holder = u in «} 
RtnRealiu) = { return (u)} 

GrRe8{{u) = {a G 8tate8{Ai) '■ u 6 requesters in a} 
GrRes^iu) = {grarU{u)} 



The condition 



RtnResi = /\Rtr^Re8{{u) -->■ RtriReal{u) 

u 



says that any user holding the resource will eventually return the resource to the arbiter. 
The condition 

GrResi = /\ GrRes{{u) ^ Gri2e«J(u) 

u 

says that any user requesting the resource will eventually be granted the resource. The 
correctness condition 

Ci = RtnReai D GrResi 



'We will be defining several correctness conditions for each of the models we study. We will subscript 
these conditions to indicate the level of abstraction with which they are associated. FWthermore, the 
sets of states and actions used to construct these conditions will be superscripted with the letters a or a, 
respectively. 
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Figure 3.2: One state of the arbiter modeled by A3. 



says that if users holding the resource always return the resource, then users requesting 
the resource will always be granted the resource. This is precisely the no lockout 
condition we require the arbiter to satisfy. We denote by Ei the execution module 
of Ai with the executions of Ai satisfying the condition d. The execution module Ei 
serves as the specification of the arbiter. 



3.2 The Automaton A2 

Our next model reveals the distributed structure of the arbiter, but still at a high level 
of abstraction, a level at which one might describe the algorithm at the blackboard. In 
this model, illustrated in Figure 3.2, the arbiter and its environment are modeled by 
a connected, acyclic graph G. The leaves of G are user nodes representing the users, 
labeled ui, . . . ,ttn. The arbiter itself consists of the remaining arbiter nodes, labeled 
ai, . . . , o^. The (directed) edge of G from the node v to w is denoted by (v, w). An 
edge (u, w) is said to point toward a node x if (u, u;> is an edge in the path from t; to x. 
Arrows are placed on edges of the graph to indicate either a request for the resource 
or the granting of the resource. In general, the resource is considered to be held by a 
node at the head of a grant arrow. Such a node is called a root of the graph. A user u 
requests the resource by placing a request arrow on the edge (tt,o) from itself to the 
adjacent arbiter node a. The arbiter grants the resource to a by removing this arrow 
and placing a grant arrow on (o,a). The user then returns the resource by moving the 
grant arrow from the edge {a,u) to the edge (u,a). The arbiter itself, however, is an 
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S a tS^^Z ."f- '^'"" "" '"'^ "' * ''«""' '"O" " P'-'d at an arbiter 
node a the arbiter node', responw depend, on whether it i. holding the resource If 

and >o there muat be a gmnt arrow on some edge (v,o>. The arbiter Mlect. thTw 

The „bito then grants the re«,urce to this node by rem.^ing tte r.,» J^ „d 

b«n for,«.rd^ by a to «,. If the arbiter nod. a do«i not hold the resource ^en th" 
arbiter /<,r»sr* the r«,u«it in the direction of a node holding the res^X pl„m,r* 
«»u«« on the edge pointing toward a root. The work in this action holTf^ „WtT^ 
connected, acyclic graphs. When we consider th. model A, in the foltvL s« t ^ 
however, w, w,ll r«trict our attention to graphs with a particular structure 



3.2.1 The States of A, 



In order to refer conv«,imtly to the arrow, on an edge of the graph, we as»ciate with 

■ ,.. 1^' "'"''^°" """"" of »"' ""« »«. <'rrov,'(v.w), for every ed.1 

(V, u.) of the graph G. The .tart ,tat« of A, ar. taken from the sit of a^ taThi^a 
smgle arrow .et crrom(v,a) contain, only a ,™n« arrow, and all oth"^ «to t! 
^Pty, wh«e a is an arbiter node of the graph G. In sJch a .tate, tl^t^ ho^ 

ItnTT ""^ "^ T"""" '" "" '^'^ "' ■>»<>"«■ We wil «K>n re.Wct o„ 
thr.it ''.Pr*'"^ "' <" •"■=" ■*"' "»t- i" the next .ection, but the workTf 
th» Mction B independent of the particular «t cho.«.. We not, that «>me .tate. of A 

sutrftt'-r^^'h^'-' "^'^'-" -' "--• '"- ""« "o- ^' -o '"- ^' 



3.2.2 The Actions of Ai 



Z 1 oT^ T ^ ("bitrary) ordering of its adjacent nodes. Let (v.t.) denote 

the set of nodes properly between the nodes t; and «; in this ordering, ani lit {«,«;] 
denote the set nodes properly between v and «, together with the node rv. The actions 
of A, are given m Figure 3.3. The input actions are of the form requestiu.a) and 
grant{u,a), and the output actions are of the form grant{a,u), where u is a user node 
^d a .an adjacent arbiter node. The internal actions 'are of the form re^uest^ 
where u u. a ^ node and a is an adjacent arbiter node; and of the form r^u«t{a, a' 
and grarUia^a') where a and a' are adjacent arbiter nodes. As in the previous mokel 

^^^n Tw °' ^rV'^* *''^** *' ^y time, but grants by users not actually 
holdmg the ticket are effectively ignored. Note we have added internal actions with 

1.1 K r J ^^u ""^^ "y"^^ *^*' '^^ ^*' '^'''^ *^« ^«°^«- The arbiter had no 
such ability m the previous model. These actions have been added for the sake of 
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Input Actions: 

reque»t{u, a) 
effects: 

arrowt{u,a) *- arrows{u,a) U {request} 
grant{u, a) 
effects: 

if grant G arrovj3{a, u) then 

arrow»{a,u) *- arrow*(a,u) - {requett} 
arrow»{a, u) ♦- arrow{a, u) - {grant} 
arrow»{u, a) *- arrow»{u, a) U {grant} 
Internal and Output Actions: 
reque»t{a, v) 

preconditions: 

request € arrow»{w, a) for some w 
{a, v) points toward a root 
request ^ arrows{a, v) 
effects: 

arrows{a, v) *- arrows{a, v) U {request} 
grant(a, v) 

preconditions: 

request € arroivs{v, a) 
grant 6 arrows{w, a) for some to 
request ^ arrows{y, a) for y € (w, v) 
effects: 

arrows{v, a) ^ arrows{v, a) - {request} 
arrows{w,a) *- arrows{w,a) - {grant} 
arroios{a, v) ^ arrows{a, v) U {grant} 

Figure 3.3: The actions of At. 
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symmetry. Having been added as internal actions, they have no effect on the arbiter's 
mterface with its users. 

The next few results state certain invariants that hold during executions of A, The 
first guarantee that every state contains at most one root, and hence that at most one 
user IS usmg the resource at any time. 

Lemma 35: If « is a state of A,, there is exactly one root in a. 

Proof: In every start states of A,, precisely one arrow set contains a grant arrow. 
Furthermore, every action that adds a grant arrow to an arrow set also removes a 
grant arrow from an arrow set. The result follows by a simple inductive argument, 
smce all states of Aj are reachable. r-i 

The second invariant states that every requtat arrow placed on the graph by the 
arbiter points toward the root of the graph. In other words, the arbiter correctly 
forwards requests in the direction of the resource. 

Lemma 36: Let a be a state of A,, and let o be an arbiter node of G. If arrowsia^v) 
contains a rtqutat arrow, then (o, v) points toward the root of G. 

Proof: No arrow set of any start state contains a request arrow, so the start states of A, 
certamly satisfy the hypothesis. Suppose a is a state of A, satisfying the hypothesis, 
and suppose that » -. f is a step of A,. We claim that t satisfies the hypothesis as well 
Suppose ;r IS of the form requeat{x,y). Notice that ir does not modify the position of 
the i^ront arrow, and that t adds a request arrow to arrowa{a,v) only if {a,v) points 
toward the root in », and hence in t. It follows that t must satisfy the hypothesis. 
Suppose JT - grara{v,a). In this case, jt removes any request arrow from arrowaia.v) 
and so t must satisfy the hypothesis. Finally, suppose ir = grant{x,y) jL grant(v,a). 
Smce TT does not add or remove a request arrow from arrowa (a, v) , if the set arrows (a v) 
contains a request arrow in «, the same is true in a. The fact that x is enabled from a 
implies that x is the root in a. The hypothesis implies that the edge (a.v) must point 
toward the root z in ». Since jt forwards the resource from x to y (and since y jL a) the 
edge (a, v> must point toward the root yint. Therefore, t must satisfy the hypothesis. 
The lemma now follows by a simple inductive argument, since all states of A, are 
reachable. |-| 

3.2.3 The Execution Module E2 

To ensure that the arbiter satisfies all user requests, it is obviously important that the 
mtemal arbiter nodes forward all requests in the direction of the root, and that arbiter 
nodes holding the resource eventually grant the resource to adjacent requesting nodes. 
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Let a be an arbiter node adjacent to nodes t; and w, and let us define the following sets 
of states and actions. 

FwdReq*j{a,v) = {s e states{A2) : request e arrow8{w,a) for some w, 

(o, v) points toward the root, and 
request ^ arrows (a, v) in «} 

FwdReq^{a,v) = {grant{v,a),request{a,v)} 

FwdGr\{a,v,w) = {s e statesiA,) : request € arrows {v, a) and 

grant 6 arrows (u;, a) in s} 
FwdGrl{a,v,w) = {grara{a,y) : y G {w,v]} 

The first arbiter correctness condition 

FwdReq, = /\ FwdReq'j{a,v) -^ FwdReq^{a,v), 

a,v 

illustrated at the top of Figure 3.4, states that if an arbiter node a is at the head of 
a request arrow and has not forwarded the request in the direction of the root, then 
either a becomes the root (possibly because u is a user node, and v has placed a grant 
arrow on {v, a)), or a eventually forwards the request in the direction of the root. The 
second arbiter correctness condition 

FwdGr2= A f^dGr\{a,v,w) ^ FwdGrl{a,v,w), 



a,v,w 



illustrated at the bottom of Figure 3.4, states that if an arbiter node a is a root at 
the head of a request arrow, then it eventually forwards the resource to an adjacent 
requesting node. The correctness condition 

Ci = FwdReq^ A FwdGr, 

ensures that arbiter nodes always forward requests in the direction of the root; and 
that arbiter nodes holding the resource always grant it to adjacent requesting nodes. 
We let Ei be the execution module of A, with the executions of A, satisfying the 
condition C3. 

While Lemxna 35 states that at most one user is using the resource at any given 
time, and while condition C, ensures that arbiter nodes holding the resource always 
grant the resource to requesting nodes, we have not yet shown that the arbiter always 
satisfies user requests. As before, this requires cooperation on the part of the users. 
Let u be a user node adjacent to the arbiter node o, and let us define the following sets 
of states and actions. 

RtnRes*^{u) = {s € statesiA,) : grant e arrows{a,u) in s} 
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The correctness condition FwdRtq^. 



request 




request 




The correctness condition FwdGr^. 



Figure 3.4: Arbiter correctness conditions. 
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RtnRM^{u) = {grant{u,a)} 

GrRes*^{u) = {a € atatea{A2) : request e arrows {u, a) in s} 
GrRes^{u) = {grarU{a,u)} 

The condition 

RtnRes2 = ^RtnReal{u) ^ RtnRes^{u) 

u 

says user nodes holding the resource always return the resource, and the condition 

GrRes, = /\ GrRes'^{u) -* GrRes^iu) 

u 

says the arbiter eventually satisfies requesting users. The condition RtnRes, D GrRes, 
says that if users return the resource, then the arbiter satisfies all requests. We now 
show that every execution of E, satisfies the condition RtnRes^ D GrRes^. First 
however we prove the following result, the inductive statement in the argument that 
£^2 satisfies the condition RtnResj D GrRea^. 

Lemma 37: Ut a be a state of A, having a request arrow in arft>tt;*(t;,u;). Let x be 
an execution fragment of A, from s satisfying the condition C, A RtnRes^. Then the 
action grant [w,v) must appear in x. 

Proof: If the graph G is viewed as a tree rooted at t;, then u; can be viewed as the 
root of a subtree of v. We proceed by induction on the height h of the subtree of v 
rooted at w. 

Suppose ^ = 0. In this case, w must be a leaf of G, and therefore w must be a 
user node and t; an arbiter node. Since t; is an arbiter node and arrows (v,w) contains 
a request arrow, Lemma 36 implies the edge (v,u,) points toward the root. Therefore, 
arrows {vw) must contain a grarU arrow. Since x satisfies RtnRes^, the user ti; must 
eventually return the resource to the arbiter, and hence grarU{w,v) must appear in x. 

Suppose /i > and the inductive hypothesis holds for /i - 1. We first show that x 
can be written as ax' where x* is an execution fragment satisfying C^^RtnRes^ in whose 
mitial state request € arrowa{v,w) and u; is the root (that is, grarU € arrowa(w\w) for 
some node w ). We consider two cases. First, suppose (v, w) does not point toward the 
root m a. Smce arrowa{v,w) contains a request arrow. Lemma 36 implies that t; must 
be a user node. Since user nodes are leaves, and since (t;,u;) does not point toward 
the root, the root must be at «; that is, arrows{w,v) must contain a grant arrow. 
Smce X satisfies RtnRes^, the user v must eventually return the resource to the arbiter 
so grant[v,w) must appear in x. Therefore, x = 0grarU[y,w)7^ as desired. Now' 
suppose {v,w) does point toward the root. If w itself is the root, then setting x* = x 
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we are done, so suppose w is not the root. If for some node w' the set arrows {w,w') 
contains a request arrow, then since the height of the subtree of w rooted at w' must be 
less than h, the inductive hypothesis forh-l implies that grarU{w',w) appears in x 
Therefore, x = 0grarU{w\w)x' as desired. On the other hand, suppose no arrow set 
arrows {w,w) contains a request arrow. Note that the fact that h>0 implies that w 
IS not a leaf, and hence that u; is an arbiter node. Since x satisfies Cj, we see that for 
some node w' either grarU{w',w) or request {w,w') appears in x. If grarU{w',w) appears 
m X, then x = fi grant {w\w)x' as desired. If request{w,w') appears in x, then a request 
arrow is placed in arrows {w,xv'), and again the inductive hypothesis for /i - 1 implies 
that X = /Si?ror»i(u;',ti;)x' as above. 

We now show that if x' is an execution fragment satisfying Cj A RtnRes, in whose 
mitial state request 6 orrou;«(t;,u;) and smni 6 arrou;« (u;',u;) for some node w', then 
j/rani(u;,t;) appears in x*. From this it will follow that graTU{w,v) appears in x as 
well. We proceed by induction on <f, the distance from w' to v in the ordering of 
the nodes adjacent to u; in G. Suppose d = 1. Since request G arrows (v,w) and 
ffruni 6 arrows {w',w), condition C, implies that grarU{w,y) must appear in x* for some 
ye[w v] = {v}. Thus, grata {w, v) must appear in x*. Suppose d > 1 and the inductive 
hypothesis holds for d - 1. Suppose the inductive hypothesis does not hold for x*: 
Suppose that grant {w,v) does not appear in x*, and hence that re^uMt G arro«;«(t; to) 
m every state appearing in x*. As in the case of d = 1, the action grant (w,y) must 
appear m x' for some y e (u;',v]. If y = t; then we are done, so suppose y ^ t;. If 
arrows {w,y) contains a request, then the inductive hypothesis forh-l implies that 
grant [w, y) appears in x*, and the inductive hypothesis for d- 1 implies that grant (w v) 
must also appear in x*. On the other hand, suppose arrows {w,y) does not contain a 
request axTow Condition C, implies that either grant {y,w) or request {w,y) appears 
m x'. If yroni(y,t<;) appears in x', then a grant arrow is placed in arrows {y,w), and the 
mductive hypothesis for d - 1 implies that grant{w,v) appears in x*. If request{w,y) 
appears in x*, then a request arrow is placed in arrows {w,y), and yron<(u;,t;) must 
appear in x' as we have seen above. □ 

An inmiediate corollary of Lemma 37 is the following. 
CoroUary 38: Every execution of E2 satisfies the condition RtnResj D GrRes^. 



3.2.4 The Execution Module E'. 



For the sake of exposition, we have given the actions of A, names suitable to its level 
of abstraction, rather than using names from Ay. It is therefore necessary to rename 
these actions before showing that E^ solves Ei. The action mapping /i from A, to Ai 
is defined to map 
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request{u,a) to reque8t{u), 
grant{u,a) to return{u), 
grant (a, u) to grant {u), 

and all remaining (internal) actions to themselves. We will denote by A', the automaton 
/il^jj, and m general we will denote by affixing a prime to its name the entity obtained 
by renammg its actions according to /i. 

3.2.5 The Satisfaction of Ei by E'2 

We begin the proof that E'^ satisfies Ei by exhibiting a possibilities mapping from A' 
to Ai. The mapping hi maps the state s of A'j to the state t of Ai such that 

u G requesters in t iflF request e arrows {u, a) in s 
holder = u in « iff grant e arrows {a,u) in s 
holder = a in t iff ffroni ^ orrowa (a, u) for every user u in a 

These conditions ensure that a user is a requesting user in t iff it is in s, and that a 
user IS ho ding the resource in tiff it is in s. Since all states of A', are reachable, and 
since in all reachable states of A', there is exactly one root, this mapping takes each 
state of Aj to a singleton set of states of Ai. 

Lemma 39: The mapping /ri is a possibilities mapping from A'j to Ai. 

Proof: The automata A'^ and Ai clearly have the same external action signature. If s 
18 a start state of Aj, then a single arrow set arrows (u, a) contains a grant arrow and all 
other arrow sets are empty. In particular, no arrow set arrows {u, a) contains a request 
arrow, and no arrow set arrows {a, u) contains a grant arrow. Therefore, in every state 
of hi{3) the set requesters of requesting users is empty, and holder = a. Since this is 
the start state of Ai, we see that if a is a start state of A'„ then a start state of A, is 
contamed in hi{s). 

Consider the action tc = request(u) of A'„ originally the action requestiu, a) of A,. 
Suppose a and f are reachable states of A^ and Ai, respectively, such that t 6 hi{3). 
The action ir is an^input action of both automata, and hence is enabled from both s 
and t. Suppose a -^ 3' and t -^ t'. Since t adds a request arrow to arrows{u,a) in s', 
and adds a to requesters of requesting users in t', we see that t' € hi{s'). 

Consider the action tt = return{u) of A'j, originally the action return{u,a) of A,. 
Suppose a and t are reachable states of A'j and Ai, respectively, such that t € hi{s). 
Again, TT is an input action of both automata, and hence is enabled from both s and t. 
Suppose s^a' and t^ t'. The definition of hi implies that grant € arrows {a, u) in s 

60 



1 ^l^f T " V' ^ ^°.'^, Renditions are false, then ^ has no effect on either . or t, 
so t e h,{s) unpha, t' e h^{s'). Suppose both conditions are true. Notice that u is the 
unique root in *. The action t moves the grant arrow from arrows (a, u) to arrows(u, a) 
in s, and TT sets holder to a inf. Thus, t' ehi{s'). 

Consider the action n = grarUiu) of A'„ originally the action grantia,u) of A,. Sup- 
pose * and t are reachable states of A', and A„ respectively, such that t € h^(s). If ^ b 
enabled from s, then r^^uwf € arro«;*(tt.a) and j,r«ni € arrows {w, a) for some node u;. 
Since request e arrows {u, a) in a, the set requesters of requesting users contains u in «. 
Since a is the unique root in s, holder = a in t. Thus, ^ is enabled from t. Suppose 
3 -^ 5 and t -» t . The action k removes the request arrow from arrows (u, a) and 
moves the grarU arrow to arrows {a, u) in ^', and t removes u from the set requesters 
of requesting users and sets holder to u in t'. Therefore, t' € hi{s'). 

Finally, the remaining actions request{a,u), request {a, a'), and grant(a,a') of A', 
are not actiomi of A,. These actions do not affect request arrows in the arrow sets 
arrows [u a) or grarU arrows in the arrow sets arrows {a,u). Therefore, suppose s and « 
are reachabe states of A', and A, such that t e h^{s). If , A ,' is a step of A'„ then 
t e hi{s ). It follows that hi is indeed a possibilities mapping from A', to Aj. D 

We can now show that E'2 satisfies Ei. 
Lemma 40: E'^ satisfies Ei. 

Proof: Let X be an execution of E',, and let y be an execution of A, corresponding 
to y under h^^ First, we claim that (i) if y satisfies RtnRes{{u) ^ RtnResUu), then x 
satisfies RtnResi[u) ^ Rtr^Res^u)'. Suppose . is a state of RtriResi{u). Since grarU e 

TrTp'" T^ A' rnV^^' ^^'^'' = " ^ "^"^ «*^** °^ '^^(-)' ^d hence that 
^1 /ifn^M,(tt)) C RtnRes{{u). Since, in addition, i2tni2Mj(u) C RtnRe^iu)', the claim 

follows by Lemma 32. Second, we claim that (ii) if x satisfies GrResUu) ^ GrRes^Ju)' 

then y satisfies GrRes{{u) ^ GrResUu). Suppose t e h,{s) is a state of GrResUu). 

l-^^nV ^'^^T'^'i: '^ \\ T '^ *^** '**""* ^ ar,x,u;.(u,a) in ., and hence that 
hi (GrRes,{u)) C GrResUu). Since, in addition, Gri2M;(u)' C GrResUu), the claim 
follows by Lemma 32. From observations (i) and (ii) it follows that if y satisfies RtnRes. 
then X satisfies RtnRes,; and that if x satisfies GrRes,, then y satisfies Gr/J^i. Since x 
satisfies /2tr»/2e^ d GrRes^, it follows that y satbfies RtnResi D GriZMi, and hence 
that y 18 an execution of E^. Since sehed{x)\Ai = «/i«i(y), and since E', and f?: have 
the same external action signature, it follows that fbeh{E!,) C fbehlEi), and hence that 
E'i will satisfy Ei. ^ 

3.3 The Automaton A^ 

In the description of the arbiter given by the previous model, the arbiter nodes are 
mtended to represent processes in a distributed network implementing the arbiter. 



61 



17^ZZa1 k ? T"" t^^^ d««"iPtion8 of the arbiter's behavior. In this model 
we actually d«tnbute the arbiter by modeling each process as a separate automaton 
These automata describe the low-level protocol followed by each process in the ar^ter^' 
implementation. Notice that while previous models have ackno^edged the LyXon^ 

message system by assuming instantaneous message delivery. We now introduce this 

TutomatoT T °'°*^'^' r *"'""« '^' ^"""^^^ ^'^"^^^ "y-**"^ " «« independent 
tnnZ^Tv ^y *=^°^P°«^^8 *^« »'^*o°^»t'^ modeling arbiter processes with the automa. 
ton modehng the message delivery system, we obtain a global model of the arbiter. 

In order to model aaynchronoua message delivery, it is convenient to add to the 

fod« aZ ^ Th" 'r r^' *-•" ^°' *-' '^ ^'*"^° ''"^'^ P^^ °^ '^j-^*-* "biter 
nod« a and a . The node 6,.., acts as a message buffer between a and a': The node a 

tZZ '^^^T^^^ '° a by Piacxng an arrow on the edge (6,.,,, a'). Since they function 
as message buffers we will hereafter refer to the nodes 6,.. as buffer nodes. We denote 
hyj the graph obtamed from G by the addition of such buffer nodes. Two nodes 
process^ are said to be adjacent in $ if they are separated by at most a buffer node; 
that IS, If they are user or arbiter nodes adjacent in the graph G. Since the results of 
^e previous section hold for arbitrary connected, acyclic graphs, and since g is such a 
fijaph, these results hold for the graph g. We therefore fix ^ as the graph underlying 

l^^AV A ^^^ "• * '°°*- ^ ""'^ ''**«'' *^* '^bi*^^ holds the resource, and 
no undelivered messages are pending. We note that with the added structure of G, we 
can prove the followmg result about buffer nodes during executions of A,. 

Lemma 41: Let a and a' be adjacent arbiter nodes, and let s be a state of A,. If 
request € arrows {K,,,, a') or grant € arrows {a\b,,,.), then request e arrows {a, b,,,,). 

Proof: The sets arrows {b,,,, , a') and arrows {a\ba,a.) do not contain request or grant 
arrows, r^pectively, in any start state of A„ and hence every start state satisfies 
the hypoth^is. Suppose s is a reachable state of A, satisfying the hypothesis, and 
suppose * -* t 18 a step of A,. We claim that t satisfies the hypothesis was well If 
ir - requestixy), then t places a request arrow in arrows{x,y). The only case we need 
consider is the case of (x.y) = <6,,,..a'>. In this case, t is enabled only if (6,,.,o'} 
pomts toward the root, and there is a request in arrows {v,b.,^,) for some t;. If v = a\ 

Lemm 'TV. ^P»;« *h*\*h« «d8« (*»'.*-.-') also points toward the root. Since 
Lemma 35 states that there is only one root, this is clearly impossible. Therefore, 
we must have v = a, and hence that t satisfies the hypothesis. If ^ = grantlx y) 
then T places a j,r«nt arrow in arrows{x,y). The only case we need consider is the 
case ot{x,y) - (a ,6,,.,). In this case, jt is enabled only if there is a request arrow in 
arrou;,(Va„a) m s. By hypothesis, there must be a request arrow in arrows {a,b,,,) 
m s, and hence m t. Therefore, t must satisfy the hypothesis. The lemma follows by a 
simple inductive argument. P, 
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Note that we do not model any message asynchrony between users and the arbiter: User 
nodes are to be mterpreted as ports to the arbiter through which the users communicate 
with the arbiter, and not the user processes themselves. If the arbiter is to be used in 
a larger system, then the responsibility of modeling the message delivery between the 

d^uv^^^ '"** °^ *^* '^'**°' ^^^^ ""^ *^* °'°*^*' °^ *^* ^"8^" ^y«*«^'« °^«««*8« 

The previous models have given some indication of the behavior required of arbiter 
processes. In the first place, arbiter processes must always forward a request for the 
r^ource in the direction of the resource. Since the network is acyclic, the process is 
able to determine the direction of the resource by remembering the direction in which it 
last forw^ded the resource. Furthermore, arbiter processes holding the resource must 
forward the r«ource to a requesting process. In particular, if arbiter process a receives 
the resource from process t;, then a must grant the resource to the first requesting 
process after t; m a fixed ordering of its neighbors. Therefore, the state of an arbiter 
process is determined by a set of processes from which it has received a request, the 
link over which the resource was last sent, whether or not the process is holding the 
resource, and whether or not a request has been forwarded in the direction of the 
resource. For each arbiter process a (each arbiter node of the graph G), we construct 
an automaton Aa modeling the process a. 

The behavior required of the message system is very simple. The system must be 
able to accept messages for delivery, and ensure that every message sent is eventually 
delivered. The state of the message system is simply a collection of undelivered mes- 
sages together with their destinations. We construct an automaton M to model the 
asynchronous message communication system. 

3.3.1 The States of Aa and M 

As mentioned above, a state of A, is determined by a set requesting of requesting 
processes adjacent to a, a variable lastforward indicating the adjacent process to which a 
last forwarded the resource, a binary flag holding indicating whether or not a is holding 
the resource, and a binary flag requested indicated whether or not a has requested the 
resource since last holding the resource. To define the start state of A„ we designate 
one of the arbiter processes and the initial holder of the resource. The start state of A, 
IS a state m which the set requesting of requesting processes is empty; the variable 
lastforward is set to the process adjacent to a on the path from a to the process 
currently holdmg the resource, or to any adjacent process if a is the initial holder; the 
flag holdmg is set depending on whether a is the initial holder; and the flag requested 
IS set to false. Notice that there are several possible initial states for the initial holder 
smce lastforward may be set to any of its adjacent processes, but that the initial state 
of the remaining processes is unique. 
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As indicated above, the state of A/ is determined by a set mtssagts of messages 
to deliver (either request or grant messages) together with the identity of the sender 
and receiver of the message. More formally, messages is a set of triples of the form 
{V w, r^uest) or («, w, grant) denoting messages to be delivered from t; to w. The initial 
sta^e of M IS the state in which messages is empty, the state in which no messages are 



3.3.2 The Actions of Aa and M 

The actions of A, are given in Figure 3.5. The input actions are those actions of the 
form recetvereguest{v,a) and reeeivegrantiv,a), and the output actions are of the form 
sendrequest{a,v) and sendgrant{a,v), where v is a node (process) adjacent to a in the 
graph g. These actions behave just as described above. There are no internal actions 
Ot A^. 



The actions of M are given in Figure 3.6. The input actions are those actions of 
the form sendrequest{a,a') and sendgrant[a,a'), and the output actions are of the form 
re^exverequest{a,a') and receivegrant{a,a'), where a and a' are adjacent arbiter nodes 
of 5. These actions accept messages to be delivered by placing them in the message 
buffer messages, and deliver them by removing them from the buffer. There are no 
mternal actions of M. 



3.3.3 The Automaton A^ 

The composition of the automata A, modeling the arbiter processes together with 
the automaton M modeling the message system yields a global model of the arbiter. 
However, we must hide actions that are inherently internal to the arbiter. Therefore 
we define the automaton A, to be the composition of the automata A. together with 
the automaton M , after hiding all output actions of the composition except those of the 
form sendgrant{a,u) (where a and u are adjacent arbiter and user nodes, respectively). 

3.3.4 The Execution Module Ez 

As mentioned in the introduction to this model, an arbiter process a is required to 
forward all requests, and to grant the resource to a requesting process if the arbiter 
process holds the resource. Let t; and u; be two nodes adjacent to the arbiter node a, 
and let us define the following sets of states and actions. 
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Input Actions: 

reeeiverequetl(v, a) 
effects: 

requesting *- requeating U {v} 

reeeivegrant{v, a) 
effects: 

if holding = false and lastforward = v then 
holding 4— true 
requested *— false 

Output Actions: 

sendrequest{a, v) 
preconditions: 

requesting ^ 

requested = false 

holding = ftUse 

lastforward = v 
effects: 

requested *— true 
sendgrant(a, v) 

preconditions: 

V € requesting 

holding = true 

lastforward = w 

y ^ requesting for all y € (w, v) 
effects: 

requesting <— requesting - {«} 

lastforward = v 

holding *— false 

Figxire 3.5: The Actions of A<, 
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Input Actions: 

aendrequest (a, a') 
effects: 

messages *- messages U {{a, a', request)} 
sendgrant{a,a') 
effects: 

messages *- messages U {{a,a', grant)} 
Output Actions: 

reeeiverequest{a, a') 
preconditions: 

{a, a', request) € messages 
effects: 

messages *- messages - {(0,0', request)} 
reeeivegrant (a, a') 
preconditions: 

{a, a', grant) € messages 
effects: 

messages *- messages - {{a, a' , grant)} 

Figure 3.6: The actions of M. 
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FwdReqliv) = {s € 8tates{A^) : requesting 7^ 0, 

requested = false ^ 
holding = false, and 
^ lastforrvard = v in s} 

FwdReql (f) = { receivegrant (« , a) , sendrequest {a, v) } 

FwdGr'^{v,w) = {a G *tatM(A<.) : V € re^UMfmy 

holding = true, and 
lastforward = w in 3} 

t wdGr^[v, w) = {sendgrant (a, y) : y e (u;, «]} 

The condition 

FwdReq^ = /\ f «;diZe9'(t;) ^ FwdReql{v) 

V 

says that the arbiter process a having received a request and not holding the resource 

reaut^lin'-t "i " T'"''' ^°' J^' '*'°'^^" °^ ^^«'^« *^« ^««°^^« (without having 
requested it, perhaps from a user). The condition 

FwdGr^ = /\ FwdGrKv) ^ FwdGrl{v) 

V 

IZlu'^U *f ' "^^i*J P'°<=«~ « holding the resource and having received a request will 
eventually forward the resource to a requesting process. The condition 

Ca = FwdReq^ A FwdGr^ 
is the desired correctness condition for the arbiter process a. We note the following. 
Lemma 42: Every fair execution of A^ satisfies C„. 

Proof: Let . be a state of FwdReql{v) and let x be an execution fragment of A. from .. 
If ne ther recewegrant {v , a) nor sendrequest {a, v) appear in x, then sendrequest (a, v) is 

?L^]tl T T7 IT J^'P""^* ^ ^- Therefore, every fair execution of A. satisfies 
FwdR^,. SmiUarly, let . be a state of FrvdGri{v, «,) and let x be an execution fragment 
of A, frona a If no action of FwdGr^v, w) appears in x, then again an action from this 

s^L^fi"''^ !^ T.rr '**.'^ ^PP^^ing in X. Therefore, every fair execution of A^ 
satisfies FwdGr,. It follows that every fair execution of A, satisfies C,. D 

We let the execution module E, = fa,r(A,). Recall that an object O solves (the 
problem specified by) an object O' only if it is implementable. Since E, is part of our 
solution to the arbiter's problem specification, it is necessary to show that E, (as well as 
every other execution module defined at this low level of abstraction) is implementable. 

Lemma 43: E^ is implementable. 
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.nZ'^T '^^^ "*l^^\*^*' '^^ ^«««^8e system deliver all messages sent. Let a 
Zd LtbnT^ ""^ ' processes, and let us define the following sets of states 

^c/^«^(a,a') = {. € statesiM) : {a,a\ request) e messages in s} 
DelRe(il,[a,a!) = {reeeiverequest{a,a')} 

^tlGr'siM = {« € states{M) : {a,a', grant) 6 messages in a) 
DelGt^{a,a') = {reeeivegrarU {a, a')} 

If we let 

DelReqi^ = /\ DelRe^^(a,a') ^ DelReq'^{a,a') 

a,a' 

and 

DelGrM = A DelGrii{a, a') ^ DelG,i,{a,a'), 

a,a' 

then the condition 

Cm = DelReqj^ a DelGr^ 

says that m^sages sent are always delivered. We denote by E^ the execution module 
ot M with the executions satisfying Cm- 

Lemma 44: Em is implementable. 

Proof: It is easy to construct an automaton M* with the action signature of Em whose 

riTit^o kT "' ^^^.!^°^ °^ ^^- The automaton M ' keeps messages to be delivered 

m a FIFO buffer, and delivers them in the order in which they are received for delivery. 

D 

Finally, we define E^ to be the composition of the execution modules E, and Em 

after hidmg the internal actions of A,. As a result of Lemma 26. we have the following! 

Lemma 45: j&s is implementable. 



3.3.5 The Execution Module E\ 
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As with the execution module £,, it is necessary to rename the actions of ^3 to be 
consistent with the names of £?,. As mentioned when we defined the buffer nodes 6„ ,,, 
the arbiter node a sends a message to the arbiter node a' by placing an arrow on the 
edge (a,6.) between a and the buffer node 6,..., and the message system delivers the 
masage by placing an arrow on the edge (6„.,,,a'> between the buffer node and a'. An 
arbiter node and user node communicate by placing an arrow on the edge between 
them. Therefore, if a is an arbiter node and a' and u are arbiter and user nodes 
respectively, adjacent to a in Q, we define the action mapping /j to map 
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reeeiverequest{u,a) to request {u, a) 

reeeivegrant (u, a) to grant (u, a) 

sendrequeat (o, u) to re^ueaf (a, u) 

aendgrant (a, u) to ^mrU (o, u) 

r««eiwere9u«»t(a',a) to request [h^,,,, a) 

reeeivegrant [a!, a) to yran< (6,. „,' o) 

aendrequeat (a, a') to re^ueaf (a, 6„,a.) 

aendgrant (a, a') to ^ront (a, 6„,„,*) 

We will denote by A', the automaton /,(A,), and in general we will denote by affixing 
a prime to its name the entity obtained by renaming its actions according to /,. 

3.3.6 The Solution of E2 by E'^ 

We begin the proof that E', satisfies E, by exhibiting a possibilities mapping from A' 
to A,. In order to define this mapping, it will be necessary to refer to state variable^ 
from each of the components of A',. While the name of the state variable measages 
of M IS unique to M\ the remaining components share variable names. In order to 
avoid ambiguity, we will indicate the component to which a state variable belongs by 
subscripting the variable with an appropriate identifier. For example, the set requeating 
of requesting processes in A'^ will be denoted by requeating^. The mapping h, maps 
the state a of A', to the set of states t of A, satisfying the following conditions- 



Ul 
U2 
U3 
U4 

Al 
A2 
A3 
A4 

II 
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requeat E arrowa{u,a) iff 

grant e arrowalu^a) iff 

requeat € arrowa (o, u) iff 

grant G arrowa (a, u) iff 



u € requeatinga 

holding^ = true and lastforward^ = u 
requeated^ = true and laatforward ^ = u 
holding^ = false and lastforward^ = u 



request e arrows {ba;a, a) iff a' e requesting^ 

grant G arrow* (6,..,, o) iff holding^ = true and lastforward^ = o' 

re^uMt € arrows {a, ba,a>) iff re^uMted, = true and lastforward^ = a' 

ffrorrte arrow* (o,6a.a') iff (o,o',^rani) G mcMoye* 



re^ue^t e arrows {a,ba,ai), 

request ^ arrow* (6,,,, a'), 

and grant ^ arrows {a\ba,a>) 

{^, f>a,a') points toward the root 



iff {a,a',request) e mesaagea 

iff holding^ = falae and laatforward^ = a' 



The conditions Ul - U2 and Al - A4 are straightforward. They say that the arbiter 
process a has received a request from a process t; in t iff t; is in a's set requesting of 
requestmg processes in *, and that a has received the resource from t; in Mff a holds the 
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resource in s and last sent (and hence received) the resource from v. Similarly, a has 
forwarded a request for the resource in Uff a has sent a request in the direction it last 
forw^ded the resource in s. A4 says that the resource is in transit between a and a' 
m t Iff there is a grant message from a to a' in the message buffer messages in s. U4 
says that the user u has the resource in t if in * the node a last forwarded the resource 
to u and has not received the resource since. Conditions /I and 12 are invariants that 
must be preserved by the mapping. 71 says that a state with a request in transit must 
map only to states satisfying Lemma 41. 72 says that the value of lastforward correctly 
records the direction of the resource in the network. We now have the following. 

Lenima 46: The mapping h^ is a possibilities mapping from A'^ to A,. 

Proof: The action mapping /, has renamed the actions of A3 so that A', and A, have 
the same external action signature. Let s be a start state of A^. For every arbiter 
process a m s the set requesting, of requesting processes is empty, and requested, is 
set to false. It follows by Ul, U3, Al, and A3 that no arrow set of any state in h^s) 
contains a. request arrow. Furthermore, the initial holder a in , has set its flag holding 
to true; all other processes a' have set holding,, to false, and lastforward,. to the nod^ 
m the direction of the resource; and no grant message is pending in the message buffer 
messages It follows by U2 U4, A2, and A4 that there is precisely one root in every 
state of hiis). Therefore, hiis) contains a start state of A, as desired. 

Consider the action tt = request (u, a) of A'„ originally the action reeeiverequest(u, a) 
T/^'( f "^J^"* !■ '^^ .* "* "«^hable states of A', and A,, respectively, such that 
I .u' I "^ '^ ** ^ '"P''^ '^'^°'' °^^°*^ automata, and hence is enabled from 

fH«t m^ ,i' ^^^^°^ - -> *' and t -^ t'. To show that f 6 /i,(s'). we must show 
that C^l holds. However, ir adds u to the set requesting, of requesting processes is s' 
and adds a request arrow to the set arrows {u, a) in t', and hence C^l holds. Therefore, 
t 6 ^2(5 J. ' 

Consider the action ir = grant{u,a) of A^, originally the action reeeivegrant(u,a) 
of A,. Suppose a and t are reachable states of A', and A,, respectively, such that 
t e /i,(5j. Smce T IS an input action in both automata, ir is enabled from both s 
and t. Suppose s -* s' and t -. t'. We see by U4 that there is a grant arrow in the set 
arrows {a,u) of t iff holding, = false and lastforward, = u in *. If both conditions are 
taise, then n has no effect on either state, and hence t e ht{s) implies t' e /ij(«') On 
the other hand, suppose both conditions are true. To show f e /ij(s'), we must show 
that U2, U3, and U4 hold. Notice that lastforward, = u in s'. First, n sets holding 
to true m s , and adds a grant arrow to arrows {u, a) in t', so U2 holds. Second, ir seU 
requested, to false in «', and removes any request arrow from the set arrow* (o,u) in t', 
so U3 holds. Finally, since x sets holding, to true in «', the fact that tt moves the ^roni 
arrow from arrows {a, u) to arrow* (u, a) implies that U4 holds. Therefore, t' G /i,(a'). 

Consider the action jt = re9UMt(o,u) of a;, originally the action 8endrequestia,u) 
of A3. Suppose 5 and f are reachable states of A^ and A,, respectively, such that 
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6 h,{s) Unis enabled from s, then the set requesting, of requesting processes is 
nonempty in ., so Ul and Al implies that some set arrows {w, a) contains a request 
TvT/r. ; ^^*^^;°^°^,«' «^"" f^^^^^Sa = false and /a.i/or«,ard, = « in ., we have 
by t^4 that arrows {a, u) contains a grarU arrow in t, and hence that the edge (a,u) 
pomts oward the root in t. Finally, since requested, = false in s, by U3 we have that 
arrows {a, u) does not contain a request arrow. Therefore, ir is enabled from t. Suppose 
3 -> 6 and t -* t . To see that t' e h.{s'), we must show that U3 holds. Notice that ^ 
sets regu«t«d, to true in s\ and that lastforward, = u in 5'. Since ^ adds a request 
arrow to arrou;«(a,u) in t' , we see that UZ holds. Therefore, t' 6 /ij(5'). 

Consider the action tt = grarU{a,u) of A^. originally the action sendgrarvtia^u) 
./u\ f T^"* * and t are reachable states of A'^ and A„ respectively, such that 
t 6 Aia(3). If ^ 18 enabled from 3, then u is contained in the set requesting, of requesting 
processes m ., and Ul implies that arrows{u,a) contains a request arrow. Furthermore, 
holdxng, = true and lastforward, = w in s, so £72 and A2 imply that arrows (b^„ a) 
(or arro«;«(u;,a) if u; is a user node) contains a grant arrow in t. In addition, since 
y requesting for all y 6 {w, u) in 3, t^l and Al imply that in t no set arro«,« (6„ ,, a) (or 
arrows {y a) if y is a user node) contains a request arrow for any y 6 (ti;, u) . Therefore t 

t1,!rr/ rrr^'i' !o^?r?' T ''^^'"^ ''' To show that t' € /.,(.'), we must show 
that Ul, U2 and A2, C/3 and A3, and U4 hold. First, the action r removes u from 
re^uwjmy, m 3 and removes a request arrow from arrows {v, a) in t', so Ul holds. 
Second, smce AoW.ni,, « set to false in ^', and since a is not a root in t', U2 and A2 
hold. Third, since holding, = true in s, we see that requested, = /o/^e in a and hence 
m^ , so U3 and A3 hold. Finally, since ,r sete holding, to /a/«« and lastforward to 
urn 6 and since r adds a yrarU arrow to arrows{a,u) in t', we see that UA holds. 
Therefore, t' e /ij(a'). 

Consider the action ir = request{b,.,„ a) of A'„ originally rwreiWre^ue^f (a', o) of A, 
Suppose 5 and t are reachable states of A', and A„ respectively, such that t G h^(s). 
If TT IS enabled from s, the set messages of undelivered messages in s must contain a 
re^uMf message from a' to a. It follows by 71 that in t the set orro«;,{a',6,,.) contains 
a request arrow, the set arrows [b,.,,, a) does not contain a request arrow, and the set 
arrows (a, 6»,„.) does not contain a grant arrow. Since arrows (a', 6«. ,) contains a request 
arrow Lemma 36 implies that (a',6„..,) points toward a root. This together with the 
fact that arrows {a, ba>,^) does not contain a grant arrow implies that {ba'a,a) points 
toward the root as well. Therefore, the action tt is enabled from t. Suppose a -^ a' and 

^7 ' ■» ^ °^^^'' ^ *^ *^** *' ^ '''^*'^' "^^ °''"* ^^°^ *^** ^1 ^d 71 hold. First, TT 
adds a to the set requesting, of requesting processes in s', and t adds a request arrow 
to arrows {ba., a, a) in t', so Al holds. Second, tt removes a request message from o' to a 
from the set messages of undelivered messages in s', and tt adds a request arrow to 
arrou;«(6ar,<„a), so 71 holds. Therefore, t' 6 hj^s'). 

Consider the action tt = grant {6<...„ a) of A^, originally the action reeeivegrant (a', a) 
of As. Suppose 3 and f are reachable states of A^ and A,, respectively, such that 



71 



tehiis). If JT IS enabled from s, the set messages of undelivered messages in s must 
contam a grant message from a' to a. By A4 we see that the set arrowsia', K> a) contains 
a j^rorrf arrow m t Lemma 41 implies that the set arrows{a, 6„.,,) must contain a request 
arrow. Smce the degree of the buffer node 6..,. is 2, we see that ;r is enabled from t. 
Suppose « ^ * and t ^ t'. Since the set arrows{a,K,,.) contains a request arrow in «, 
Lemma 36 implies that the edge {a,6,.„.) points toward the root. By 72 we see that 
holding = false and lastforward, = a"m s. Therefore, to see that f € hi(s') we 
must show that A2, A3, A4, and 72 hold. First, ^ sets holding, to irue in .'.Notice 
that lastforward, = a' in a, and therefore in s' as well. Since x adds a grant arrow to 
arrou;* (6,..,, o) m t', we see that A2 holds. Second, tt sets requested, to /a/«e in «', and ^ 
removes a request arrow from arrows {a, b,,,.) in t', so A3 holds. Third, n removes a 
grant message from a' to a from the set mcMaffe. of undelivered messages in s' and ir 
removes a irnxni arrow from arrows {a\b,.,,) in f, so A4 holds. Finally, since holding 
IS set to true in s', it is easy to see that 72 holds. Therefore, t' G h,{s'). 

Consider the action ir = request (a, 6..,,) of A',, originally the action sendrequest (a, a') 
of As. Suppose a and t are reachable states of A^ and A,, respectively, such that 
t e h2(s). If ^ 18 enabled from s, then the set requesting, of requesting processes is 
nonempty m s, and hence by Ul and Al some set arrou;« (u;, a) of t contains a re^uert 
arrow Furthermore, since holding, = false and lastforward, = a' in a, by 72 we see 
that the edge (a,6..<,,) points toward the root in t. Finally, since requesting = false 
in s, by A3 we see that there is no request arrow in arrows {a, b^,^,) in t. Therefore, ir 
« enabled from t Suppose . - .' and t ^^ t'. To see that f € h,is% we must show 
that A3 and 71 hold. Notice that tt sets requested, to true in s', and places a request 
arrow m arrou;a(a,5,.,.) in t'. Since lastforward, = a' in s and hence in a', we see that 
A3 holds. Notice that requested, = false in a. Since lastforward, = a' in *, A3 implies 
that arro«;«(a,6a,a') does not contain a request arrow in t. Lemma 41 implies that there 
IS no request arrow in arrows {b,,,. , a') and no grant arrow in orrou;«(a',6a«0 in t, and 
hence the same is true in t'. Since t adds a request arrow to arroti;*(a,6,lo in t', and 
adds a request message from o to a' to the set messages of undelivered messages in s' 
we see that 71 holds. Therefore, t' e fcj(«'). 

Finally, consider the action ir = grant (a, 6,.«.) of A^, originally sendgrant (o, a') of A,. 
Suppose , and t are reachable states of A^ and A,, respectively, such that t € /ia{5). 
If TT IS enabled from «, then since o' e requesting, in «, we see by Al that arrows (6,' a, a) 
contams a request arrow in «. Since holding, = true and lastforward, = u; in 3, we see 
by :;^2 and A2 that a grant arrow must be contained in arrows {b,„ a) (or arrows {w, a) 
if u; IS a user node) in t. Furthermore, since y ^ requesting, for dl y e (u;, a') in s, we 
see by U3 and A3 that no request arrow is contained in arrows {b^ a, a) (or arrouw(y,a) 
If y IS a user node) in t. Therefore, ir is enabled from t. Suppoi^ a A ,' and t -^ t'. 
To see that t' G /i,(«'), we must show that Al, A2 and 72, A4, 71, and 72 hold. All 
except 71 are straightforward, so we show 71. Notice that arrows {b^, a, a) contains a 
request arrow in f . By 71, there is no undelivered request message from a' to o in the 
set messages of a, and hence in «'. However, t puts a grant arrow in arrows {a, b,,,,), 
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«) 71 holds. Therefore, t' e /ia{a'). ^ 

ninf rj^^^'^'lw "^ ^"^^''^'^ °^^PPi"8 h, from A', to A„ we now use this map- 
ping together with Lemma 33 to show that E', satisfies E,. Before using Lemma 33 
however, we must translate the local correctness conditions C^ and C^ fovE' and E' ' 
respectively into a global correctness condition for E',. We use Lemma 34 to'rechariJ' 
erize E, m this way. Let a and a' be adjacent arbiter nodes, and let t; be an arbitrary 
(user or arbiter) node adjacent to o in p. Let 

FwdRtqliv)' = {ae 8tates{A'^) : a\A'^ e FwdReqi{v)} 

FwdGr'.iv)' = {a € states{A'^) : a\A', € FwdGri{v)} 

DelRe4'M{a,a'y = {o e states{A'^) : ajAf € £>e/i2eflj;^(a,a')} 

DelGt'j^{a,a'y = {a e states{A'^) : alAf € Z?<!/Gri,(a,o')} . 

Furthermore, let 

FwdRe^^ = /\ f«,<i/?e^'(„)' ^ FwdReqUv)' 

V 

FwdGrf^ = /\ FwdGrliv)' «-. i'«;dGr2{t;)'. 
£>«/i2e^ = /\ I>e/i2e^(a,a')' -♦ De/i2e^(o,o')' 



Finally, let 



If 






c^i = Ac: AC];, 

a 

then the following is an immediate result of Lemma 34. 

Lemma 4T: E'^ is the execution module of A'^ with the executions of A'^ satisfying C, 



Having made this transformation from local to global correctness conditions, 
now use Lemma 33 to show that E'^ satisfies E2. 

Lemma 48: E', satisfies E2. 



we 
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Proof: Let a and a' be adjacent arbiter nodes, and let t; and u; be arbitrary nodes 
adjacent to a. If t; is an arbiter node, then let v' be the buffer node 6,„ between a 
and t;; and let t; be the node v itself if t; is a user node. The node t;' is simply the node 
of S adjacent to a such that the edge {a,v') points toward v. Let w' be the analogous 
node with respect to u;. We will show that 

1. hi\FwdReql{a,v')) C FwdReq^v)' 

2. hi\FwdReql{b^,^,,a')) C DelRe^j^{a,a')' 

3. hi\FwdGr\{ay,w')) C FwdGrl{v,wy, and 

4. h^HFwdGr'j{b^^^.,a,a')) C £>c/G;^(a',o)' 

Since it is easy to see from the definition of /j and the following sets that 

1. FwdGr^{v)' C FwdReql{a,v'), 

2. DelRe^^ia'a)' C FwdRcqi{b,,,^,a), 

3. FwdGr^{v,w)' C FwdGri{a,v',w'), and 

4. DelGt^^{a',ay C FwdGr^i{ba>,a,a), 

it will follow by Lemma 33 that E'^ satisfies E,. 

First, suppose t G /i,{5) is a state of FwdReql{a, v'), and let us show that « is a state 
of FwdReq*^{vY. Since some set arrows{w,a) of i contains a request, we see by Ul and 
Al that the set requeating^ of requesting processes is nonempty. Since (o,v') points 
toward the root in t, we see by U4 and 72 that holding^ = /ai«« and lastforward^ = v 
m s. Since the set arrou;«(a,t;') does not contain a request arrow in t, the fact'that 
lastforward^ = i; together with £73 and AZ imply that requested^ = false. Therefore 
5 e FwdReq*^{vy. 

Second, suppose t € hi{s) is a state of Fv;dReql{ba,a',a'), and let us show that s is a 
state of DelRe(fi^{a, aj. Since in t there is a request arrow in arrow* (tu, 6. «,) for some w, 
the edge {tx;,6....) must point toward the root . Since {ba,a',a') also points toward the 
root in t, and since this root is unique, this request arrow must be in arrows {a, baa'). 
Furthermore, since (6«.a',o'> points toward the root, we see that there can be no grarU 
arrow in arrow (o', *«.«.) and no request arrow in orrotiw(6«...,a'). It follows by 71 that 
there is a request message from a to o' in the set messages of undelivered messages 
in s. Therefore, s € DelReql^{a, aJ . 

Third, suppose t € hi{s) ia a. state of FwdGr^i{a,v',w'), and let us show that s is 
a state of FwdGr'^{v,wY. Since there is a request arrow in arrou;«(t;',a) in t, Ul and 
Al imply that v is contained in the set requesting^ of requesting processes. Since there 
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Is a ffrani arrow in arrows{w',a) in t, U2 and A2 imply that holding, = true and 
lastforward, = w m s. Therefore, 5 € FwdGr',{v,wy. 

Finally suppose « e h,{s) is a state of Fu,dGr;(6,.,.,a,a'), and let us show that s is 
a state of DelGr^tia ,a). Since there is a grant arrow in arrows {a' , ba a') in t, A4 implies 
that there is a grarU message from a' to a in the set messages of undelivered messages 
m 3. Therefore, 3 e Z?e/Gf^(a',a)'. □ 

T /iSf ^' ^^"^^^^^S the work of the last few section, we have the following result. 
Let ^5 be the execution module obtained by renaming the actions of E^ according to 
the action mapping /i/j. 

Theorem 49: E^ solves Ei. 



Proof: Since E}, satisfies £,, it follows by Lemma 27 that E^ satisfies E' Since E' 
satisfies Eu it follows by Lemma 26 that E'^ satisfies E^. Since E', is implementable. 
Lemma 27 implies that E^ is implementable. Therefore, E^ solves i^i. D 

With this we have proven the correctness of a fuUy-detailed protocol for resource 
allocation in an asynchronous network. 



3.4 Time Complexity 

The primary concern motivating Schonhage's arbiter is its time performance. For 

example. Lynch and Fischer consider two simple resource arbiters in [LF81], allocating 

a r«»ource among n users. One arbiter is a process that simple polls each user in round- 

robm order, granting the resource to each requesting user in turn. Given that each user 

uses the resource for a bounded amount of time, the response time for this arbiter (the 

maximum time a user must wait for the resource) is O (n) regardless of the number of 

users requesting the resource. A second arbiter is a binary tree (a tournament tree) 

with the users at the leaves of the tree. Each internal node of the tree repeatedly 

polls Its children until one of its children requests the resource, at which point it stops 

and passes the name of the child up to the internal node's parent. The root of the 

tree actually determines which user is granted the resource. When only one user is 

requestmg the resource at a time, this arbiter's response time is only O (logn). In the 

worst case however, (when every user is requesting the resource) this arbiter's response 

time is O (nlogn). Schonhage's algorithm, in contrast, combines favorable aspects of 

both these arbiters. In particular, (m the case that the graph G is a binary tree) the 

arbiter's response time is O (logn) if only one user requests the resource at a time, and 

O (n) in the worst case. In thb section we perform the complexity analysis needed to 

make these claims precise. 
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For convenience, we perform our complexity analysis at the middle level of abstrac- 
tion, with the automaton A,. We have not yet introduced the notion of time into our 
model. While we have not yet decided on how time should be incorporated into our 
model, one alternative is to assign times to states (or equivalently to actions) denoting 
the time at which an automaton transition causes the automaton to enter this state. 
Let us refer to such an execution as a timed execution. In order to perform any time 
analysis, it is necessary to place bounds on the time between automaton transitions. 
Recall that all liveness conditions required of the automaton Aj in the construction 
of Ei are of the form S ^ T, meaning that if A, enters a state of 5, then eventually 
an action of T is performed. Let us denote by 5 ^ T the condition that if Aj enters a 
state s of 5, the within time 6 an action ir of T will be performed. That is, following 
state 3 in a timed execution satisfying S '^ T there is a ?r-8tep to a state s' such that 
the difference in times assigned to s and a' is at most b. Let 

BndedFwdReq, = /\FwdReq*j{a,v) ^ FwdReq^{a,v) 
BndedFwdGr, = /\ FwdGrl{a,v,w) ^ FwdGrl{a,v,w) 

a,v,m 

BndedRtnRtSi = /\RtnRe8i{u) -^ RtnResHu) 

u 

Let us say that a timed execution of Aj is b-bounded if it satisfies the conditions 
BndedFwdRtq^, BndedFwdGrt, and BndedRtnReat. We define the response time in 
a Abounded execution x of Aj to be a time r such that for all states s with request € 
arrows {u, a) (where u is a user node) appearing in x, the diffemce in times assigned 
to s and the first state with grarU € arrows {a,u) appearing after « in z is less than r. 
Suppose the graph G has diameter d. It is easy to see that the response time for 
fr-bounded executions of Aj is 2bd when only one user request the resource at a time: 
The request must travel the diameter of the graph to the root, and the root must be 
moved the diameter of the graph to the user. Thus, we have the following. 

Theorem 50: If the diameter of the graph Giad, then the response time in 6-bounded 
executions of Aj in which at most one user requests the resource at a time is 2bd. 

Conversely, suppose the graph G has e edges. We now show that the worst-case 
response time (when the arbiter is heavily loaded) is 36« - 6. We begin with the 
following preliminary lemma, the inductive statement in the proof that the arbiter's 
response time is 36e - 6. Given an edge {v,w), we define e{v,w) to be the number of 
edges in the subtree of t; rooted at w. 

Lenuna 51: Let s be a state of Aj in which request € arrows{v,w) and the edge 
{v,w) points toward the root. In any 6-bounded execution fragment of Aj from s, 
grant € arrows{w,v) within time 36€(t;,ti;) + 6. 
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m^L Twf A ' "'"'*"" °" ^ = ^("'"^- S^PP-« «= = 0- I- this ca.e, u; 

Z^ ^ « ' r ^'''c" * ^'' ^°'**- ^^^" *^" «*^8« <«' «') P^i^t" toward the root 

oZ^ ^ '"''^'^M' ^r' ^-^^^^ node, condition BndedRtnRes, implies that 
ffront 6 arrov)a{w, v) within time 6 = 36e + 6. ""P"« mai 

Suppose « > and the inductive hypothesis holds for numbers of edges less that e 
By assumption, the edge {v,w) points toward the root. If «, itself is the root since 
3 / arro..(...) condition Bruie,F.,Gr. implies that within t me 6^; h"v 
grant € arrorus[w,x) for some node x. Notice that if x = «, then we are don7 

b th :::ot""trer/^ i ^ . t'^^ ^^ i-^^^^ ^"^' '^-^'^^^ -^«*^- - ^^"^^ 

Tthpr th T f * ^"''''^ P^""*" *^^"** **^* '■°^* ^>thin time b for some node x 

o nodi^" f/ = ^>...,x„t, be the nodes between x and t, in the ordering 
of nodes adjacent to w. Let e, = e[w,x,), and notice that « > Ej-x(«i + 1) We 
proceed by mduction on i to show that if request 6 arrou;.(t;,uO t^^ t.,x,) points 
toward the root, the grant e arrou„(u,.t,) within time Ej=' 36(;, + 1). it wiU fol! 
low that grant e arrows {w,v) within time 4 + Ej^i 36(e,. + 1) < 36« + 6 of the time 
regues e arrou«(.,u,). The case of i" = is vacuoisly t'rue. Suppose ,>o^d^e 
mductive hypothesis holds for .• - 1. Since request e arrows {v^w), the edge^^ x ) 

t'h'tlhT *'vr' '"'/^r ^ — (.,xo. condition Bn^i:^^..^'4;r;i^ 

that either r^„«t e arrows{w,x,) or ,rani e ar«,u;.(x,,u,) within time 6. ^the ca^ 

tit hTnoth 'T^'^^'"')' f " *^« «<!«« (-.-.) points toward the root, thetd^ 
tve hypothesis for e - 1 implies that grant € arrows (x^^w) within time 36e,. + 6. In 

2darZV V''T^'""^ "'*^^ *^^ 3*^' + 26. Since r.,««. e ar^U.^) 
"ttrtL aT"^'""^' 7'*"''"" BruiecJf«,c/C7r, implies that grarU € ar«,u,,(;.x, 
that ««r^ T* "^^ ^ .^u-^' • • • ' ^^' ",>• ^^^^ ^^^'^^^^^^ hypothesis for i - 1 im^li^ 

D 
Finally, we have the following. 

Frf^r!' ^It^* * '*';'* °! ^' ^ ^^^^^ '■^""^ ^ arr««„(u,a) for some user node u. 
Either ffrani 6 arrows {a, u) or the edge («,«) points toward the root. In the case that 
grant e arrows {a, u) the condition BndedRtnRes, implies that grant e arrows(u,a) 
The rltTtt- . "I T' '''^"''' ^ «''~ti;*(u,a) and the edge (u,a) points tow J 

alrH rr "',A"^lh ^"^'^ " ^P^^"* ^^'^^ ^^^ ^ -rrows{a,u) within time 
36<(u,a)+6 = 36«-26foratotaloftime36«-6. □ 

Thus as claimed, the response time in Abounded executions is linear in the diameter 
of the network when the load on the arbiter is light, and linear in the size of the network 
when the load is heavy. We note that when an arbiter node grants the resource to an 
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adjacent node, rf it has received a request for the resource, it later forwards a request 
in the direction of the resource. As a result, three messages are sent over the edge 
to the adjacent node: the grant and request messages sent by the arbiter node, and a 
grant message sent to the arbiter node when the node receives the resource. Hence, the 
worst case response time of about 36e. If, however, the arbiter node were to combine 
the grant jjid request messages sent to the adjacent node, then only two messages would 
traverse the edge between them. We note that in this case the worst case respom,e time 
u, 26e. We have chosen to separate the messages in order to make the algorithm easier 
to describe. 



78 



Chapter 4 
Conclusions 



In this thesis we have introduced a new model of distributed computation in asyn- 
chronous systems. We find this model to be quite expressive, and find that the trans, 
parent, automata^theoretic semantics make reasoning about system behavior relatively 
simple. We have shown how the strong distinction between input and output actions 
captures the game-theoretic interplay between a system and its environment. This 
distinction has been found to be useful when describing the interface between system 
components, and when decomposing a system into modular components (see fBlo87]) 
We have found that the clarity of the interface between system components described 
by automata allows us to express the notion of fair computation quite simply and 
naturally. Fmally, we have seen that automata may be used to construct hierarchical 
correctn^s proofs for distributed algorithms, allowing intuitive reasoning about key 
high-level ideas behind an algorithm's behavior to be incorporated into a formal proof 
of Its correctness. While the framework developed in this thesis has proven to be quite 
useful, there are a number of ways in which it could be enhanced. We now consider a 
few of these enhancements. 

First of all, it would be nice to find a more compact notation, a programming 
language, for defining automata than the precondition/effects style of presentation 
used m this thesis. In particular, since our work is in several ways similar to CCS 
It would be nice to develop a CCS-like calculus having input-output automata as its' 
underlymg operational semantics. We note that one aspect of CCS that has not been 
developed for input-output automata is a powerful theory of equational reasoning. We 
do not know if such a theory can be associated with our model. Any results in this 
direction will certainly be valuable, for they will allow us to combine the transparent 
operational semantics of input-output automata with powerful semantic techniques for 
reasoning about system behavior. 

As of yet, we have not attempted to characterize the expressive power of input- 
output automata. Our feeling that our model is generally quite powerful is the result 
of experience, and our feeling that certain aspects of the model (such as the require- 
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ment that an automaton be input-enabled) capture important aspects of asynchronous 
distributed computation. Bloom has made some initial attempts at characterizing the 
expressive power of our model in [Blo86|. In particular, he has characterized the Ian- 
guages that can be expressed as the set of schedules of an automaton (resulting from 
arbitrary executions). Left uncharacterized are the languages that can be expressed as 
the set of schedules resulting from fair executions. Another possible characterization 
of mter^t is the relationship between the expressive power of temporal logic and our 
model. Wolper, Vardi, and Sistla show in [WVS83] that given a formula in a particular 
extension of temporal logic, it is possible to construct a Buchi automaton accepting 
precisely those sequences satisfying the given formula. It might be possible that these 
techniques can be adapted to prove a similar result for input-output automata. 

We note that our model includes a single, simple notion of automaton composition. 

to particular, our composition requires that automata sharing an action -k perform ir 

simultaneously whenever jt is performed by their composition. The intention is that if t 

18 an output action of A and an input action of J3, then the simultaneous performance 

of T models communication from A to B. We think of the performance of tt as a 

computational step of A causing B to be notified of the arrival of input. However, 

since two processes in an asynchronous system cannot be expected to perform an action 

smiultaneously, rather than complicating our notion of composition, we have chosen 

to require that the output actions of automata in a composition be disjoint. This 

has a nunaber of effects on how systems are modeled with automata. For instance, to 

use Hoare s example of a vending machine (see [Hoa85]), suppose that we construct 

automata modelmg humans, and an automaton modeling a vending machine. Humans 

can insert coins mto the vending machine (output from humans and input to the vending 

machine). Smce we require that the output actions of automata in a composition be 

disjomt, if we compose a collection of humans with the vending machine, each human's 

output action of inserting a coin must be tagged with an identifier. Thus, the vending 

machine IS effectively able to determine which human is inserting a coin, which is not 

necessarily a realistic model of this simple interaction. It might be interesting to study 

other notions of composition that would avoid this problem. One such composition 

might require all automata having t as an input action to synchronize with precisely 

one automaton (the same for all) having t as an output action. While this is a natural 

notion of composition, the semantics of this composition complicate our model quite a 

bit. We feel that one virtue of our composition is that, as a consequence of Corollary 3 

reasonmg about the enabling of an action in a composition can be carried out by 

reasonmg about the state of a single component. This has been found to be very 

convenient in [LM86]. 

While fair computation important to us, we have not made an explicit study of the 
nature of fairness in our model. In fact, we have defined only one of several possible 
notions of fairness (see [Fra86]). We feel that it should be possible to express many 
other notions of fairness m our model, and the study of these definitions m our model 
are of interest to us. 
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However, since the prunary emphaaifl of this thesis has been the decomposition of 

correctness proofs both hierarchically and modularly, we are naturally interested in 

contmumg the study of how automata can be used in new technique, of decomposition. 

We have already mentioned the work of [LS84a] and [LLW87]. The authors of these 

papers seem to be using a horizontal decomposition different from any considered in 

our work In our work we have attempted to decompose systems into modular units 

that can be composed to yield the desired system. Once this decomposition has been 

made each component can be examined in isolation, simplifying the verification pro- 

cess in some systems, however, the system components are so heavily interdependent 

that no clean decomposition appears possible. [LS84a] and [LLW87] use the technique 

ot projectmg onto one system component (or algorithm component), abstracting the 

remainmg system components to a high-level black box, and reasoning about the re- 

mammg images." Notice that these images cannot be composed to yield a model of 

the system since each is a model of the complete system. The work of [LLW87] concerns 

how correctness proofs for each image can be combined into a correctness proof for the 

entire system. This work appears to be quite promising. 

Finally, while this thesis has essentially ignored the notion of time, time is a very 
important part of modem distributed systems. Timeouts, for instance, are a crucial 
part of the fault-tolerance of many communication algorithms. Furthermore, complex- 
ity analysis of algorithms requires some notion of bounds on processor step times and 
message delivery times. We have shown, using rather ad hoc techniques, how rigorous 
reasoning about tmie complexity can be performed n our model. A very important 
problem is that of incorporating time into our model more naturally, and investigating 
useful properties about time that can be used to reason about time complexity of alg(> 
rithms m our model. For instance, what does it mean to compose the timed equivalent 
of execution modules? Another important problem is that of relating complexity results 
obtamed at different levels of abstraction. In our example, we analyzed the complexity 
of Schonhage s arbiter at a level of abstraction higher than the fully-detailed protocol, 
but It IS not hard to see how this complexity result translates down to the lower level 
of abstraction. In general, however, relating time complexities at different levels of 
abstraction is a difficult problem. Such problems certainly deserve further study 
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